US CERT warns of vulnerabilities in VPN apps

The Cybersecurity and Infrastructure Security Agency (CISA) and the US-CERT warn of vulnerabilities in VPN applications for corporate environments.


Advertising


Virtual Private Networks (VPNs) are used to establish a secure connection to another network over the Internet. However, multiple VPN applications store authentication and/or session cookies insecurely in memory and/or log files.

Within this security advisory (Vulnerability Note VU#192371) of the Software Engineering Institute of Carnegie Mellon University dated 11.4.2019 warns of these vulnerabilities in VPN applications. It states that VPN applications store session cookies insecurely. This is what it says:

CWE-311: Missing Encryption of Sensitive Data
The following products and versions store the cookie insecurely in log files:

– Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
– Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
The following products and versions store the cookie insecurely in memory:
– Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
– Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
– Cisco AnyConnect 4.7.x and prior

The above text excerpt names the relevant VPN products from different vendors that are used in enterprise environments. Other VPN products based on the above applications are likely to be affected.

If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, he can replay the session and bypass other authentication methods. An attacker would then have access to the same applications as the user through his VPN session. Palo Alto Networks GlobalProtect version 4.1.1.1 fixes this vulnerability. There are no known updates from other vendors.  (via Techchrunch).


Advertising


This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *