The CERT Coordination Center (CERT/CC) with the US Department of Homeland Security (DHS) has issued a warning of a newly discovered vulnerability affecting possibly hundreds of Virtual Private Network (VPN) applications.
Virtual Private Networks (VPNs) are used to create a secure connection with another network over the internet. However, multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files, according to the CERT/CC Vulnerability Note VU#192371.
According to CERT , the following products and versions store the cookie insecurely in log files and memory, but it is likely that this configuration is generic to additional VPN applications:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
- Cisco AnyConnect 4.7.x and prior
If an attacker has persistent access to a VPN user's endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.
If you are using any of the affected VPN products, make sure to update them:
- Palo Alto Networks GlobalProtect Agent version 4.1.1 and later for Windows and GlobalProtect Agent version 4.1.11 and later for macOS patch this vulnerability.
- Pulse Desktop Client and Network Connect improper handling of session cookies (CVE-2016-8201) SA44114 - 2019-04: Out-of-Cycle Advisory.
- There is not any known patch at the time of publishing for Cisco AnyConnect.