Some enterprise VPN apps store authentication/session cookies insecurely
Security
At least four Virtual Private Network (VPN) applications sold or made available to enterprise customers share security flaws, warns the Carnegie Mellon University CERT Coordination Center (CERT/CC) and the Department of Homeland Security's Computer Emergency Response Center (US-CERT).
VPN apps from Cisco, F5 Networks, Palo Alto Networks, and Pulse Secure are impacted, CERT/CC analyst Madison Oliver said in a security alert published earlier today, echoed by the DHS' US-CERT.
All four have been confirmed to store authentication and/or session cookies in an non-encrypted form inside a computer's memory or log files saved on disk.
An attacker with access to the computer, or malware running on the computer, can retrieve this information and then use it on another system to resume the victim's VPN sessions without needing to authenticate. This allows an attacker direct and unimpeded access to a company's internal network, intranet portals, or other sensitive applications.
Vulnerable enterprise VPN apps
According to the CERT/CC alert, following products and versions store VPN authentication/session cookies insecurely in log files:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
The following products and versions store the VPN authentication/session cookie insecurely in memory:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
- Cisco AnyConnect 4.7.x and prior
Palo Alto Networks has released an update to address both issues --see v4.1.1.
F5 Networks said it's been made aware that some of its VPN apps store authentication/session cookies in the OS memory in an insecure manner since 2013, but has made a decision not to release a patch, advising customers to enable OTP (one-time password) or 2FA (two-factor authentication) for their VPN client --instead of using just a password challenge.
The issue with storing authentication/session cookies in local log files was patched in the F5 Networks BIG-IP app in 2017.
Cisco and Pulse Secure have not publicly acknowledged the issues. Enterprise VPN apps from Check Point and pfSense were deemed safe.
Tens, possibly hundreds, of VPN apps may be vulnerable
"It is likely that this configuration is generic to additional VPN applications," Oliver said, suggesting that many of the other 240 enterprise VPN providers that CERT/CC is keeping track of might also be impacted, and would require more testing.
The "Remote Access" working group with the National Defense ISAC, a community for sharing cyber and physical security threat indicators for the US defense sector, was credited with raised the issue of insecure storage of enterprise VPN authentication/session cookies.
Article updated on April 12 with link to US-CERT alert.
The best VPN services: Our 10 favorite vendors for protecting your privacy
More vulnerability reports:
- Dragonblood vulnerabilities disclosed in WiFi WPA3 standard
- Tens of thousands of cars were left exposed to thieves due to a hardcoded password
- Adobe patch update squashes critical code execution bugs
- Backdoor code found in popular Bootstrap-Sass Ruby library
- Microsoft's April Patch Tuesday comes with fixes for two Windows zero-days
- Intel finally issues Spoiler attack alert
- KRACK attack: Here's how companies are responding CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic