Several enterprise virtual private networking apps are vulnerable to a security bug that can allow an attacker to remotely break into a company’s internal network, according to a warning issued by The Department of Homeland Security’s cybersecurity division.
An alert was published Friday by the government’s Cybersecurity and Infrastructure Security Agency following a public disclosure by CERT/CC, the vulnerability disclosure center at Carnegie Mellon University.
The VPN apps built by four vendors — Cisco, Palo Alto Networks, Pulse Secure and F5 Networks — improperly store authentication tokens and session cookies on a user’s computer. These aren’t your traditional consumer VPN apps used to protect your privacy, but enterprise VPN apps that are typically rolled out by a company’s IT staff to allow remote workers to access resources on a company’s network.
The apps generate tokens from a user’s password and are stored on their computer to keep the user logged in without having to reenter their password every time. But if stolen, these tokens can allow access to that user’s account without needing their password.
But with access to a user’s computer — such as through malware — an attacker could steal those tokens and use them to gain access to a company’s network with the same level of access as the user. That includes company apps, systems and data.
So far, only Palo Alto Networks has confirmed its Global Protect app was vulnerable. The company issued a patch for both its Windows and Mac clients.
Neither Cisco nor Pulse Secure have patched their apps. F5 Networks is said to have known about storing since at least 2013 but advised users to roll out two-factor authentication instead of releasing a patch.
As per CERT warning, the following products and versions store the cookie insecurely in log files:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2.
The following products and versions store the cookie insecurely in memory:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0.
- Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2.
- Cisco AnyConnect 4.7.x and prior.
CERT warned that hundreds of other apps could be affected — but more testing was required.