At least 4 Virtual Private Network (VPN) apps sold or available to corporate customers share security flaws, warns the Coordinating Center for Carnegie Mellon University (CERT/CC) and the Department of Homeland Security’s Computer Emergency Response Center (US-CERT).
In a security alert issued earlier today, it affects US-CERT, Cisco, F5 Networks, Palo Alto Networks, and Pulse Secure VPN apps reported in the DHS.
All four were confirmed to store unencrypted authentication and/or session cookies inside the memory or log files of a computer stored on the disk.
An attacker with computer access or malware running on the computer can retrieve this information and then use it to resume VPN sessions on another system without authentication. This allows an attacker to access the internal network, intranet portals or other sensitive applications directly and without impairment.
The following products and versions store VPN authentication/session cookies insecurely in log files, according to the CERT/CC alert:
– Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
– Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
The following products and versions store the VPN authentication/session cookie insecurely in memory:
– Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
– Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
– Cisco AnyConnect 4.7.x and prior
Palo Alto Networks released an update to deal with both problems.
F5 Networks has been aware that some of its VPN apps have stored OS memory authentication/session cookies in unsafe form since 2013, but has decided not to release a patch by advising customers to enable their VPN client to use OTP (one-time password) or 2FA (two-factor authentication) instead of just using a password challenge.
The F5 Network BIG-IP app patched the 2017 issue of storing authentication/session cookies in local log files.
Cisco and Pulse Secure did not publicly acknowledge the problems. The apps Check Point and pfSense Enterprise VPN were considered safe.
“This configuration is likely to be generic to additional VPN applications,” Oliver said, suggesting that many of the other 240 enterprise VPN providers CERT / CC keeps track of might also be affected and would require more testing.
The “Remote Access” working group with National Defense ISAC, a cyber-sharing community and physical security indicators for the US defense sector, has raised the question of unsafe storage of VPN company authentication/session cookies.
