Enterprise VPN applications developed by Palo Alto Networks, Pulse Secure, Cisco, and F5 Networks are storing authentication and session cookies insecurely according to a DHS/CISA alert and a vulnerability note issued by CERT/CC, potentially allowing attackers to bypass authentication.
As detailed in the Common Weakness Enumeration database in CWE-311, the fact that an app fails to “encrypt sensitive or critical information before storage or transmission” could allow would-be attackers to intercept traffic data, read it and inject malicious code/data to perform a Man-in-the-Middle (MitM) attack.
The alert issued today by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) also states that a potential “attacker could exploit this vulnerability to take control of an affected system.”
Also, the vulnerability note written by Carnegie Mellon University’s Madison Oliver says that “If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.”
CERT/CC says:
The following products and versions store the cookie insecurely in log files:
– Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
– Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
The following products and versions store the cookie insecurely in memory:
– Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
– Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
– Cisco AnyConnect 4.7.x and prior
In addition, according to CERT/CC’s note, “It is likely that this configuration is generic to additional VPN applications,” which means that hundreds of VPN apps from a total of 237 vendors can potentially be impacted by this information disclosure vulnerability reported by the National Defense ISAC Remote Access Working Group.
While VPN apps from Check Point Software Technologies and pfSense were found to not be vulnerable, Cisco and Pulse Secure haven’t yet issued any info regarding this vulnerability.
Palo Alto Networks published a security advisory with further information on this information disclosure vulnerability tracked as CVE-2019-1573, and published the GlobalProtect Agent 4.1.1 and later for Windows and GlobalProtect Agent 4.1.11 and later for macOS security updates.
F5 Networks on the other hand, while being “aware of the insecure memory storage since 2013” decided not to patch it and provides the following solution as a mitigation measure: “To mitigate this vulnerability, you can use a one-time password or two-factor authentication instead of password-based authentication.”
However, the insecure log storage issue has been patched in the F5 Networks BIG-IP app since versions 12.1.3 and 13.0.1, released in 2017.
To read the original article: https://www.bleepingcomputer.com/news/security/multiple-enterprise-vpn-apps-allow-attackers-to-bypass-authentication/