Some enterprise VPN apps store authentication/session cookies insecurely

VPN apps from Cisco, F5, Palo Alto Networks, and Pulse Secure found vulnerable.

Is your laptop protected by the VPN in your smartphone when you use it a hotspot? We answer this question and show you how to keep your connection safe.

At least four Virtual Private Network (VPN) applications sold or made available to enterprise customers share security flaws, warns the Carnegie Mellon University CERT Coordination Center (CERT/CC) and the Department of Homeland Security's Computer Emergency Response Center (US-CERT).

VPN apps from Cisco, F5 Networks, Palo Alto Networks, and Pulse Secure are impacted, CERT/CC analyst Madison Oliver said in a security alert published earlier today, echoed by the DHS' US-CERT.

All four have been confirmed to store authentication and/or session cookies in an non-encrypted form inside a computer's memory or log files saved on disk.

An attacker with access to the computer, or malware running on the computer, can retrieve this information and then use it on another system to resume the victim's VPN sessions without needing to authenticate. This allows an attacker direct and unimpeded access to a company's internal network, intranet portals, or other sensitive applications.

Vulnerable enterprise VPN apps

According to the CERT/CC alert, following products and versions store VPN authentication/session cookies insecurely in log files:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2

The following products and versions store the VPN authentication/session cookie insecurely in memory:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
- Cisco AnyConnect 4.7.x and prior

Palo Alto Networks has released an update to address both issues --see v4.1.1.

F5 Networks said it's been made aware that some of its VPN apps store authentication/session cookies in the OS memory in an insecure manner since 2013, but has made a decision not to release a patch, advising customers to enable OTP (one-time password) or 2FA (two-factor authentication) for their VPN client --instead of using just a password challenge.

The issue with storing authentication/session cookies in local log files was patched in the F5 Networks BIG-IP app in 2017.

Cisco and Pulse Secure have not publicly acknowledged the issues. Enterprise VPN apps from Check Point and pfSense were deemed safe.

Tens, possibly hundreds, of VPN apps may be vulnerable

"It is likely that this configuration is generic to additional VPN applications," Oliver said, suggesting that many of the other 240 enterprise VPN providers that CERT/CC is keeping track of might also be impacted, and would require more testing.

The "Remote Access" working group with the National Defense ISAC, a community for sharing cyber and physical security threat indicators for the US defense sector, was credited with raised the issue of insecure storage of enterprise VPN authentication/session cookies.

Article updated on April 12 with link to US-CERT alert.

More vulnerability reports: