The National Cybersecurity and Communications Integration Center (NCCIC), the Department of Homeland Security’s cybersecurity division, published an alert on Friday highlighting a flaw found in a number of enterprise virtual private networks (VPN) products. These products come from four vendors: Cisco, F5 Networks, Palo Alto Networks, and Pulse Secure.
The alert followed a disclosure from Carnegie Mellon University’s vulnerability center, the CERT Coordination Center.
The researchers that unearthed the flaws warned that it was “likely” that similar flaws exist in additional VPN applications and products.
While VPNs are used by companies to provide their employees with secure connections to work applications when working remotely, the vulnerability discovered can allow hackers to instead use the secure connections as an avenue to launch cyberattacks.
The vulnerable VPN products store the authentication and/or session cookies insecurely in memory and/or log files. This means that through generating cookies — that are stored in plain text — the VPNs give attackers access to applications without having to log in.
Thus, a hacker need only gain access to a single employee device and they would be able to extract these VPN cookies and open a connection to the company’s internal network.
Specifically, Palo Alto Networks Windows, version 4.1.0, and macOS, version 4.1.10 and earlier, GlobalProtect endpoint agents store the cookie insecurely in log files and in memory, as does Pulse Secure’s Connect Secure product in versions prior to 8.1R14, 8.2, 8.3R6, and 9.0R2. Cisco’s AnyConnect, version 4.7.x and earlier, and only stores in the cookie insecurely in memory.
As of publication, Palo Alto Networks had already issued a patch for the flaw; Pulse Secure had issued a security advisory advising customers to update to the versions not affected by this. Cisco has yet to issue a patch, but in a statement to the NCCIC noted that the feedback will be incorporated into discussions on future design improvements made to Cisco’s VPN product.
According to the NCCIC, F5 has been aware of insecure memory storage since 2013, but has yet to issue a patch for its edge client components that are affected. According to F5, the severity of this flaw is low and it has provided its customers with guidance to mitigate. And the center said, it was aware of insecure log storage, but fixed versions forward from 12.1.3, 13.0.1, and 13.1.0 of its Big-IP Access Policy Manager, which among other tasks can provide access to VPN services. The company has issued advisories for both vulnerabilities.