Cisco, Palo Alto Networks Among Those Impacted By VPN App Flaw: Researchers

Carnegie Mellon’s vulnerability disclosure center found that VPN apps built by Cisco, Palo Alto Networks, F5 Networks and Pulse Secure insecurely store authentication tokens and session cookies in memory or log files. Cisco disputes the finding.

Hackers could exploit a VPN application vulnerability found in products from four cybersecurity vendors including networking market leader CIsco and security vendor Palo Alto Networks to take control of a user's applications, researchers warn.

The CERT Coordination Center at Carnegie Mellon University found that VPN apps built by Cisco, Palo Alto Networks, F5 Networks and Pulse Secure insecurely store authentication tokens and session cookies in memory or log files. The U.S. Department of Homeland Security's cybersecurity division issued an alert following the publication of the CERT report. Cisco has denied that it is impacted by the flaw.

CERT said that VPN applications from Check Point Software Technologies and pfSense were not affected by this vulnerability. The status of VPN applications from more than 200 other vendors, however, remains unknown, according to CERT.

If an attacker has persistent access to a VPN user's endpoint or exfiltrates the cookie using other methods, they could replay the session and bypass other authentication methods, according to CERT. An attacker with a stole tokens would have access to the same company apps, systems and data as a legitimate user does through their VPN session, CERT said.

[Related: Feds Warn Cybercriminals Are Targeting SAP, Oracle ERP Applications]

CERT said that Cisco AnyConnect 4.7.x and prior store the session cookie incorrectly in memory. A company spokesperson, however, told CRN that Cisco investigated this issue and determined Cisco AnyConnect is not vulnerable to the behavior described in the vulnerability note from CERT. Cisco's stock is up $0.58 (1.03 percent) to $56.18.

CERT also found that Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 store the session cookie incorrectly in both memory and log files.

Palo Alto Networks confirmed that its agent was vulnerable, and encouraged Windows users to update to GlobalProtect Agent 4.1.1 and macOS users to update to GlobalProtect Agent 4.1.11 or later, for which a patch is available.

"Palo Alto Networks follows Coordinated Vulnerability Disclosure and the security of our customers is of the utmost importance to us," a company spokesperson told CRN. "Once we were notified by CERT/CC of an issue affecting multiple vendors, we worked with them on the timing of the release of our security advisory."

Palo Alto Networks stock is down $1.41 (0.57 percent) to $244.92 in trading Friday afternoon.

Similarly, Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2 were found by CERT to be storing the session cookie incorrectly in both memory and log files.

The company acknowledged that the vulnerability exists in: Pulse Connect Secure 9.0R1 – 9.0R2, 8.3R1 – 8.3R6, and 8.1R1 – 8.1R13; as well as Pulse Desktop Client 9.0R1 – 9.0R2 and 5.3R1 – 5.3R6, and said customers should upgrade to a fixed version of Pulse Desktop Client or Pulse Connect Secure. Pulse Desktop Client only needs a client-side fix, the company said, and doesn't require a server-side upgrade.

"This vulnerability had previously been resolved and Pulse Secure has issued a Security Advisory," a Pulse Secure spokesperson said.

F5 Networks, meanwhile, has been aware of the insecure memory storage on its BIG-IP APM, BIG-IP Edge Gateway, and FirePass products since February 2014, but never pursued a patch. Instead, the company recommended that users rely on a one-time password or two-factor authentication instead of password-based authentication.

As for the insecure log storage, F5 Networks has been aware of the issue in its BIG-IP APM system since December 2017 and fixed it in version 12.1.3 and 13.1.0 and onwards. The company didn't respond to a request for additional comment.