Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

US-Cert alert! Thanks to a massive bug, VPN now stands for 'Vigorously Pwned Nodes'

Multiple providers leaving storage cookies up for grabs

Shaun Nichols in San Francisco Fri 12 Apr 2019  //  21:00 UTC

The US-Cert is raising alarms following the disclosure of a serious vulnerability in multiple VPN services.

A warning from the DHS cyber security team references the CMU Cert Coordination Center's bulletin on the failure of some VPN providers to encrypt the cookie files they place onto the machines of customers.

Ideally, a VPN service would encrypt the session cookies that are created when a user logs in to access the secure traffic service, thus keeping them away from the prying eyes of malware or network attacks. According to the alert, however, sometimes those keys were being kept unencrypted, either in memory or on log files, allowing them to be freely copied and re-used.

From directory traversal to direct travesty: Crash, hijack, siphon off this TP-Link VPN box via classic exploitable bugs

READ MORE

"If an attacker has persistent access to a VPN user's endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods," the post explains. "An attacker would then have access to the same applications that the user does through their VPN session."

To be clear, the vulnerable cookies are on the user's end, not on the server itself. We're not talking about a takeover of the VPN service, but rather an individual customer's account. The malware would also need to know exactly where to look on the machine in order to get the cookies.

So far, vulnerable parties include Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS, Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2, and Cisco AnyConnect 4.7.x and prior. Palo Alto has already released a patch.

Check Point and pfSense, meanwhile, have confirmed they do encrypt the cookies in question.

Possibly dozens more vendors are going to be added to the list, however, as this practice is believed to be widespread. The site notes that over 200 apps have yet to confirm or deny that their session cookies are left unencrypted.

"It is likely that this configuration is generic to additional VPN applications," the notice explains. ®
Send us news
25 Comments

Head of Israeli cyber spy unit exposed ... by his own privacy mistake

Plus: Another local government hobbled by ransomware; Huge rise in infostealing malware; and critical vulns

US legislators propose American Privacy Rights Act - and it looks quite good

After two decades of calls for national protections, something may actually happen

US House approves FISA renewal – warrantless surveillance and all

PLUS: Chinese chipmaker Nexperia attacked; A Microsoft-signed backdoor; CISA starts scanning your malware; and more

Google One VPN axed for everyone but Pixel loyalists ... for now

Another one bytes the dust

Academics probe Apple's privacy settings and get lost and confused

Just disabling Siri requires visits to five submenus

US government excoriates Microsoft for 'avoidable errors' but keeps paying for its products

In what other sphere does a bad supplier not feel pain for its foulups?

Zero-day exploited right now in Palo Alto Networks' GlobalProtect gateways

Out of the PAN-OS and into the firewall, a Python backdoor this way comes

96% of US hospital websites share visitor info with Meta, Google, data brokers

Could have been worse – last time researchers checked it was 98.6%

Alibaba Cloud reveals network telemetry tool that helped cut number of engineers needed by 86%

Zoonet employs 'elegant generalization of ping and traceroute' among other tricks

Cisco creates architecture to improve security and sell you new switches

Hypershield detects bad behavior and automagically reconfigures networks to snuff out threats

Reform of USA's Section 702 spying rule may make it to a vote this week

Tool that lets spooks observe Americans appears to have been renewed for another year

HPE sues China's Inspur Group over server patents

Middle Kingdom biz accused of IP theft and changing names to evade sanctions