VPN applications exposed to critical vulnerability

VPN applications exposed to critical vulnerability

Multiple VPN applications are vulnerable to not properly encrypting sensitive data and insecurely storing session cookies.

Article updated April 15, 2019 with new Pulse Secure advisory as stated below.

The CERT Coordination Center (CERT/CC) has released a security advisory VU#192371 and updated on Friday at least three vendors are vulnerable to insecurely storing session cookies in memory and/or log files.

Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS versions are known to store session cookies insecurely in memory and log files. According to CVE-2019-1573 details, an attacker could access authentication and/or session tokens and replay them to spoof the VPN session and gain access as the user.

Palo Alto Networks has patched the vulnerability with GlobalProtect Agent version 4.1.1 for Windows and GlobalProtect Agent version 4.1.11 for MacOS.

Two other vendors are also vulnerable to the VPN flaw according to CERT/CC: Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2 (cookies stored in memory and logs) and Cisco AnyConnect 4.7.x and prior (cookies stored in memory only).

As of Friday, CERT/CC was not aware of any patches made available for Cisco AnyConnect.

Update (April 15): as of original CERT/CC advisory, Pulse Secure Connect Secure did not have an update as of the 13th. However, Pulse provided a new update on Monday April 15 and released an Out-of-Cycle Advisory (SA44114 – 2019-04): Pulse Desktop Client and Network Connect improper handling of session cookies (CVE-2019-11213). New software updates are available from the Pulse Secure Download Center website that address the VPN vulnerability.

F5 Networks, Inc. was also listed in the advisory as affected by the vulnerability, but has not provided any updates as of the latest CERT/CC publication.

Three other VPN vendors were confirmed NOT to be impacted by the VPN vulnerability: Check Point Software Technologies, LANCOM Systems GmbH and pfSense. Over 200 other vendors did not have any updates on whether their products were impacted.

You can also read more about the common weakness in encryption of sensitive data in CWE-311.