Hackers can exploit a vulnerability in VPN applications found in products from four cybersecurity providers, including network marketers CIsco and security provider Palo Alto Networks to take control of user applications, warn researchers.
The CERT Coordination Center at Carnegie Mellon University found that VPNs built by Cisco, Palo Alto Networks, F5 Networks and Pulse Secure stored insecurity tokens and increased cookies in memory or log files. The US Department of Homeland Security's cyber security department issued a notice following the publication of the CERT report. Cisco has refused to be affected by the error.
CERT said that Check Point Software Technologies and pfSense VPN applications were not affected by this vulnerability. However, the status of VPN applications from more than 200 other vendors is unknown, according to CERT.
If an attacker has continuous access to a VPN user's endpoint or expands the cookie using other methods, they may re-enter session and bypass other authentication methods, according to CERT. An attacker with stolen tokens will have access to the same company programs, systems and data that a legitimate user does through the VPN session, says CERT.
[Related: Feds Warn Cybercriminals Are Targeting SAP, Oracle ERP Applications]
CERT said that Cisco AnyConnect 4.7.x and earlier save the session cake errors in memory. However, a company spokesperson told CRN that Cisco has investigated this issue, and Cisco AnyConnect is not vulnerable to the behavior described in the CERT security note. Cisco's stock is up $ 0.58 (1
CERT also found that Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 stores the session cake errors in both memory and log files.
Palo Alto Networks confirmed that the agent was vulnerable and encouraged Windows users to update to GlobalProtect Agent 4.1.1 and macOS users to update to GlobalProtect Agent 4.1.11 or later, for which an update is available.
"Palo Alto Networks follows Coordinated Security Issue Enlightenment and security of our customers is of utmost importance to us," said a CRN spokesperson. "When we were notified by CERT / CC about a problem affecting multiple vendors, we were working with them at the time of the release of our security advice."
The Palo Alto Networks stock is down $ 1.41 (0.57 percent) to $ 244.92 in trading Friday afternoon.
Likewise, Pulse Secure Connect Secure was found by CERT before 8.1R14, 8.2, 8.3R6 and 9.0R2 to save the session cake errors in both memory and log files.
The company recognized that the vulnerability exists in: Pulse Connect Secure 9.0R1 – 9.0R2, 8.3R1 – 8.3R6 and 8.1R1 – 8.1R13; and Pulse Desktop Client 9.0R1 – 9.0R2 and 5.3R1 – 5.3R6, and said customers will upgrade to a fixed version of Pulse Desktop Client or Pulse Connect Secure. The Pulse Desktop Client only needs one client-side fix, the company said, and does not require a server-side upgrade.
"This vulnerability was previously resolved, and Pulse Secure issued a security assessment," a Pulse Secure spokesman said.
Meanwhile, F5 Networks has been aware of the uncertain memory storage on BIG-IP APM, the BIG-IP Edge Gateway and the FirePass products since February 2014, but has never followed an update. Instead, the company recommended that users rely on a one-time password or two-factor authentication instead of password-based authentication.
For the uncertain log storage, F5 Networks has been aware of the problem in its BIG-IP APM system since December 2017 and fixed it in versions 12.1.3 and 13.1.0 and beyond. The company did not respond to a request for further comment.