Security Bulletin: Vuln Affecting Multiple VPN Apps

This Security Bulletin is to inform you of the recent vulnerability found in multiple VPN applications. This vulnerability, which involves popular VPN apps storing authentication and session cookies insecurely, could potentially allow attackers to bypass authentication.

An alert has been issued by DHS/CISA regarding an exploit found in popular enterprise VPN applications caused by insecure storage of authentication and session cookies that could lead to authentication bypass (and replay attacks if the attacker has persistent access to the VPN endpoint). It is noted that this may be a generic configuration that is not unique to vendors specializing in large deployments of enterprise VPN software and devices, and could affect a wide array of vendors and their VPN applications.

Known Affected Products

The following products and versions store the cookie insecurely in log files:

  • Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
  • Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2

The following products and versions store the cookie insecurely in memory:

  • Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
  • Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
  • Cisco AnyConnect 4.7.x and prior

Information Disclosure & References

This vulnerability information disclosure is being tracked in CVE-2019-1573.

Further CVE information resources:

Remediation

This is a developing issue; VPN software providers are actively working on patches to address this vulnerability.

With respect to specific vendors:

Palo Alto Networks VPN Client versions patched for this vulnerability:

  • GlobalProtect Agent 4.1.1 and later for Windows
  • GlobalProtect Agent 4.1.11 and later for macOS

Check Point & pfSense VPN apps are not vulnerable.

F5 Networks and Cisco have not responded or released any information.

Other authentication best practices:

In addition to patching all VPN client applications and hardware with the latest available security updates from the vendor, enabling Multi Factor Authentication or One-Time Passwords as a best practice is advised. 

There are no other known workarounds or mitigations for this vulnerability at this time.



Close off Canvas Menu