Numerous corporate VPN clients could be vulnerable to a potentially serious security weakness that could be used to fake access when playing a user session, warned an alert from the CERT Coordination Center (CERT / CC) of Carnegie Mellon University.
The connection to a corporate VPN gateway made by a specific company usually requires a dedicated application designed to work with it. So far, the problem has only been confirmed in applications from four vendors: Palo Alto, F5 Networks, Pulse Secure and Cisco, but others could be affected.
The problem is the surprisingly basic that applications have been unknowingly storing session and authentication cookies in memory or in log files, which makes them vulnerable to misuse. CERT / CC explains:
"If an attacker has permanent access to the endpoint of a VPN user or filters the cookie using other methods, he can play the session and bypass other authentication methods. An attacker would have access to the same applications as the user through his VPN session. "
Which, if it happened in a network that does not impose additional authentication, would be like delivering the privileges of a corporate VPN to anyone who can access the vulnerable data.
The weakness manifests itself in two ways: cookies are stored in an insecure way in the log files and cookies are stored in an unsafe way in memory. Customers suffer both weaknesses:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows
- Palo Alto Networks GlobalProtect Agent 4.1.10 and earlier versions for macOS0 (CVE-2019-1573)
- Pulse Secure Connect Secure before 8.1R14, 8.2, 8.3R6 and 9.0R2
- A range of F5 Edge Client components including BIG-IP APM, BIG-IP Edge Gateway and FirePass (CVE-2013-6024)
In addition, Cisco's AnyConnect version 4.7.x and above stores the cookie insecurely in memory. However, the alert lists 237 suppliers in total, only three of which are definitely not affected. Therefore:
“It is likely that this configuration is generic for additional VPN applications.”
This should be taken as a warning with flashing red lights that many more VPN clients may suffer the same problems.
Exploiting the security flaw still requires that the attacker is using the same network as the target VPN to carry out the replay attack. It is not clear if the additional authentication would be a defense against this.
One defense that should work is to disconnect from the sessions, thus invalidating the stored cookies and making them useless for anyone looking to steal them.
Beyond that, administrators should apply patches when they are available. In the case of Palo Alto Networks GlobalProtect is version 4.1.1, while Pulse Secure has not yet responded. Users suggested by Cisco should always end the sessions to update the cookies, before adding:
“The storage of the session cookie in the customer process memory and in the case of sessions without a client, the web browser while the sessions are active is not considered an unjustified exposure.”
F5 Networks said that the storage of insecure records was corrected in 2017 in versions 12.1.3 and 13.1.0 and later. Regarding memory storage:
"F5 has been aware of unsafe memory storage since 2013 and has not yet been updated.”
Administrators should consult the online documentation of F5 in this regard.