VPN Vulnerability

Standard

InsecureVPNDo you use a VPN to connect to your office network?  If you do, you should be aware of a vulnerability alert issued by CERT (Computer Emergency Response Team) yesterday.  Many major VPN’s require an update to ensure safety.

I have pasted the CERT announcement below:

Multiple VPN applications insecurely store session cookies

Vulnerability Note VU#192371

Original Release Date: 2019-04-11 | Last Revised: 2019-04-11


Overview

Multiple Virtual Private Network (VPN) applications store the authentication and/or session cookies insecurely in memory and/or log files.

Description

Virtual Private Networks (VPNs) are used to create a secure connection with another network over the internet. Multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files.

CWE-311: Missing Encryption of Sensitive Data
The following products and versions store the cookie insecurely in log files:
– Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
– Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2

The following products and versions store the cookie insecurely in memory:
– Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
– Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
– Cisco AnyConnect 4.7.x and prior

It is likely that this configuration is generic to additional VPN applications. If you believe that your organization is vulnerable, please contact CERT/CC at cert@cert.org with the affected products, version numbers, patch information, and self-assigned CVE.

Impact

If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.

Solution

Apply an update
Palo Alto Networks GlobalProtect version 4.1.1 patches this vulnerability.

CERT/CC is unaware of any patches at the time of publishing for Cisco AnyConnect and Pulse Secure Connect Secure.