US-Cert alert! Thanks to a massive bug, VPN now stands for 'Vigorously Pwned Nodes'
Multiple providers leaving storage cookies up for grabs
The US-Cert is raising alarms following the disclosure of a serious vulnerability in multiple VPN services.
A warning from the DHS cyber security team references the CMU Cert Coordination Center's bulletin on the failure of some VPN providers to encrypt the cookie files they place onto the machines of customers.
Ideally, a VPN service would encrypt the session cookies that are created when a user logs in to access the secure traffic service, thus keeping them away from the prying eyes of malware or network attacks. According to the alert, however, sometimes those keys were being kept unencrypted, either in memory or on log files, allowing them to be freely copied and re-used.
From directory traversal to direct travesty: Crash, hijack, siphon off this TP-Link VPN box via classic exploitable bugsREAD MORE
"If an attacker has persistent access to a VPN user's endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods," the post explains. "An attacker would then have access to the same applications that the user does through their VPN session."
To be clear, the vulnerable cookies are on the user's end, not on the server itself. We're not talking about a takeover of the VPN service, but rather an individual customer's account. The malware would also need to know exactly where to look on the machine in order to get the cookies.
So far, vulnerable parties include Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS, Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2, and Cisco AnyConnect 4.7.x and prior. Palo Alto has already released a patch.
Check Point and pfSense, meanwhile, have confirmed they do encrypt the cookies in question.
Possibly dozens more vendors are going to be added to the list, however, as this practice is believed to be widespread. The site notes that over 200 apps have yet to confirm or deny that their session cookies are left unencrypted.
"It is likely that this configuration is generic to additional VPN applications," the notice explains. ®