DHS alerts industry to insecure enterprise VPN apps
The Department of Homeland Security on Friday alerted the public to a vulnerability in multiple virtual private network applications that could give a hacker access to other apps running on a VPN connection.
The flaw involves the insecure storage of cookies in memory or in log files, and affects enterprise VPN apps made by Cisco, F5 Networks, Palo Alto Networks, and Pulse Secure. Other vendors could be affected because the configuration issue is likely “generic” to other VPN apps, according to an advisory cited by DHS from Carnegie Mellon University’s CERT Coordination Center.
“If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods,” CERT CC said. “An attacker would then have access to the same applications that the user does through their VPN session.”
While Palo Alto Networks had patched its VPN product, Cisco had not, according to CERT CC. The added attention brought by the advisory could change that.
F5 Networks has fixed the insecure log storage issue in a newer version of its VPN app, and has advised users to employ two-factor authentication or a one-time password to address the memory storage flaw.
Pulse Secure said it issued an advisory on the vulnerability on April 11 and that the latest versions of its Pulse Desktop Client and Network Connect product fixed the issue.
VPN services are an important privacy tool that obfuscate a user’s location. However, if compromised, they can be a valuable foothold for attackers looking for access to organizations that use VPNs. Last month, Citrix, a VPN service widely used in the corporate world, announced that “international cyber criminals” had breached its internal network.
U.S. lawmakers are also worrying about the threat posed by foreign-made VPN apps to federal employees. Sens. Marco Rubio, R-Fla., and Ron Wyden, D-Ore., in February asked DHS for a threat assessment on the subject.
UPDATE, April 15, 4:50 p.m. EDT: This story has been updated with a statement from Pulse Secure showing that the vulnerability had been addressed in its product updates.