Numerous enterprise VPN clients could be vulnerable to a potentially serious security weakness that could be used to forge access when playing a user session, warned an alert from the CERT Coordination Center (CERT / CC) of Carnegie Mellon University.
Connecting to a business VPN gateway made by a specific company generally requires a dedicated application designed to work with it. So far, the problem has only been confirmed in applications from four vendors: Palo Alto, F5 Networks, Pulse Secure and Cisco, but others could be affected.
The problem is the surprisingly basic that applications have been storing session and authentication cookies insecurely in memory or in log files, making them vulnerable to misuse. CERT / CC explains:
“If an attacker has permanent access to the endpoint of a VPN user or filters the cookie using other methods, he can replay the session and skip other authentication methods. An attacker would have access to the same applications as the user through his VPN session. ”
Which, if it happened on a network that does not impose additional authentication, would be like giving the privileges of a business VPN to anyone who can access vulnerable data.
Weakness manifests itself in two ways: cookies are stored insecurely in the log files and cookies are stored insecurely in memory. Clients suffer both weaknesses:
- GlobalProtect Agent 4.1.0 from Palo Alto Networks for Windows
- GlobalProtect Agent 4.1.10 from Palo Alto Networks and earlier versions for macOS0 (CVE-2019-1573)
- Press Secure Connect Secure before 8.1R14, 8.2, 8.3R6 and 9.0R2
- A range of F5 Edge Client components that include BIG-IP APM, BIG-IP Edge Gateway and FirePass (CVE-2013-6024)
In addition, Cisco version 4.7.x and earlier of Cisco AnyConnect stores the cookie insecurely in memory. However, the alert lists 237 providers in total, only three of which are definitely not affected. Therefore:
“This configuration is likely to be generic for additional VPN applications.”
This should be taken as a warning with flashing red lights that many more VPN clients may suffer the same problems.
The exploitation of the security flaw still requires that the attacker be using the same network as the target VPN to carry out the repeat attack. It is not clear if additional authentication would be a defense against this.
One defense that should work is to disconnect from the sessions, thus invalidating the stored cookies and making them useless for anyone looking to steal them.
Beyond that, administrators should apply patches when they are available. In the case of Palo Alto Networks GlobalProtect, it is version 4.1.1, while Pulse Secure has not yet responded. Users suggested by Cisco should always end the sessions to update cookies, before adding:
“The storage of the session cookie within the client's process memory and in the case of sessions without a client, the web browser while the sessions are active is not considered an unjustified exposure.”
F5 Networks said the storage of unsafe records was corrected in 2017 in versions 12.1.3 and 13.1.0 and later. Regarding memory storage:
“F5 has been aware of insecure memory storage since 2013 and has not yet been updated.”
Administrators should consult the F5 online documentation about it.