New Report Shows Security Vulnerabilities in Some VPN Products. Is Your Organization at Risk?

The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert that enterprise Virtual Private Network (VPN) products made by Cisco, Palo Alto Networks, F5 Networks and Pulse Secure have vulnerabilities that could compromise the security of users.

The alert was issued in response to the disclosure made by the CERT Coordination Center (CERT/CC), the coordination center of the computer emergency response team for the Software Engineering Institute at Carnegie Mellon University. The following VPN products and versions, according to CERT/CC, store the cookie insecurely in log files:

. Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)

. Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2

The following VPN products and versions, meanwhile, store the cookie insecurely in memory:

. Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)

. Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2

. Cisco AnyConnect 4.7.x and prior

“If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods,” CERT/CC said. “An attacker would then have access to the same applications that the user does through their VPN session.”

CERT/CC added that it’s “likely” that the above-mentioned security vulnerabilities also apply to other VPN products, not just with the mentioned 4 enterprise VPN products. CERT/CC, however, cleared the VPN products made by Check Point Software Technologies, LANCOM Systems GmbH and pfSense. In addition to VPN products from Cisco, Palo Alto Networks, F5 Networks and Pulse Secure, the center, gives uncertain status to more than 200 VPN products as to whether or not these VPN products encrypt sensitive files.

Common Software Weakness

VPN, which stands for Virtual Private Network, is a software program that’s supposed to create a secure connection with another network over the internet. One of the means of securing data over the internet is through encryption – the process of altering data into a code to render it unreadable to unauthorized users.

Storing the cookie insecurely in log files or memory, according to CERT/CC, falls under CWE-311, described as a failure of a software to encrypt sensitive or critical information before storage or transmission. CWE, which stands for Common Weakness Enumeration, is a community-developed list of software weakness types. CWE is maintained by the not-for-profit organization MITRE and sponsored by the United States Computer Emergency Readiness Team (US-CERT).

Failure of a software to encrypt sensitive or critical information before storage or transmission is often caused by missing a security tactic during the architecture and design phase. Negative consequences as a result of missing encryption of sensitive data include:

. Possibility for the injection of data into a stream of communication between two parties, a situation in which victims have no means of separating valid data from invalid; and

. Possibility for an attacker with access to the network traffic to sniff packets from the connection and uncover the data.

Cybersecurity Best Practices

It’s important to note that the VPN isn’t a cure-all solution for securing the connection with another network over the internet. The security vulnerabilities discovered by CERT/CC, however, are of medium severity, which means that these can only be exploited when the attackers compromise the user’s computer prior to spoofing the VPN session. 

Here are some cybersecurity best practices in order to counter the vulnerability discovered by CERT/CC:

Keep Your VPN Up-to-Date

No software vendor can claim that the software that it has developed is perfect. Along the way, new security vulnerabilities are discovered. Software vendors fix these vulnerabilities by inserting the correct code and users can implement it through installing the security update. It’s, therefore, important to timely install security updates of all software. In the case of the VPN vulnerabilities discovered by CERT/CC, Palo Alto Networks, F5 Networksand Pulse Secureadvise its customers to apply the latest update in products and versions that are affected.

Cisco, meanwhile, issued the following statement:

“We are not aware of any situation where a currently valid session token is written to log files.

“The storage of the session cookie within process memory of the client and in cases of clientless sessions the web browser while the sessions are active are not considered to be an unwarranted exposure. These values are required to maintain the operation of the session per design of the feature should session re-establishment be required due to network interruption. We have documented the concerns and the engineering teams will incorporate this feedback into discussions for future design improvements of the Cisco AnyConnect VPN solution.

“It should also be noted that all session material stored by both the Client and Clientless solutions are destroyed once the sessions is deliberately terminated.”

Use Alternatives to Password-Based Authentication

Password as a stand-alone approach for authentication is a weak security measure. Malicious actors have already complied millions, if not billions, of passwords used and they have that tools to automate the process of guessing passwords. The use of two-factor authentication is an example of an alternative to password-based authentication and a means to mitigate the vulnerabilities discovered by CERT/CC.

Let our security and IT experts help you navigate through the complexities of cybersecurity and IT risk. Contact is today at (416) 920-3000or email sales@genx.ca