Enterprise VPN
applications created by Palo Alto Systems, Pulse Secure, Cisco, and F5 Networks
are reportedly known to have been 'storing' authentication and session cookies
that too insecurely, as indicated by a DHS/CISA alert with a vulnerability note
issued by CERT/CC, conceivably enabling attackers to sidestep authentication.
The caution
issued on the 14th of April by the Department of Homeland Security's
Cybersecurity and Infrastructure Security Agency (CISA) additionally expresses
that a potential "attacker could exploit this vulnerability to take
control of an affected system."
As detailed in
the Common Weakness Enumeration database in CWE-311, the way that an
application neglects to "encrypt sensitive or critical information before
storage or transmission" could permit would-be attacker to intercept
traffic information, read it and infuse malignant code/information to play out
a Man-in-the-Middle (MitM) attack.
CERT/CC says:
The following products and versions store the
cookie insecurely in log files:
- Palo Alto Networks GlobalProtect Agent 4.1.0
for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0
(CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14,
8.2, 8.3R6, and 9.0R2
The following products and versions store the
cookie insecurely in memory:
- Palo Alto Networks GlobalProtect Agent 4.1.0
for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0
(CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14,
8.2, 8.3R6, and 9.0R2
-Cisco AnyConnect 4.7.x and prior
As indicated by this
note "It is likely that this configuration is generic to additional VPN
applications," which suggests that many VPN applications from an aggregate
of 237 vendors can conceivably be affected by this data divulgence
vulnerability.
Additionally,
the vulnerability note composed by Carnegie Mellon University's Madison Oliver
says that - "If an attacker has persistent access to a VPN user's endpoint
or exfiltrates the cookie using other methods, they can replay the session and
bypass other authentication methods. An attacker would then have access to the
same applications that the user does through their VPN session."
While VPN
applications from Check Point Software Technologies and pfSense were found to
not be 'vulnerable', Cisco and Pulse Secure haven't yet issued any data with
respect to this vulnerability. Palo Alto Networks have thusly published a
security advisory with additional information on this data revelation
vulnerability tracked as CVE-2019-1573.
F5 Networks then
again, while being "aware of the insecure memory storage since 2013" chosen
not to fix it and gives the following solution as a relief measure: "To
mitigate this vulnerability, you can use a one-time password or two-factor
authentication instead of password-based authentication."
