Security Bulletin: What You Need to Know About the Vulnerability Affecting Popular VPN Apps

By |Published On: April 15th, 2019|Tags: |

An alert has been issued by DHS/CISA regarding an exploit found in popular enterprise VPN applications caused by insecure storage of authentication and session cookies that could lead to authentication bypass (and replay attacks if the attacker has persistent access to the VPN endpoint). It is noted that this may be a generic configuration that is not unique to vendors specializing in large deployments of enterprise VPN software and devices, and could affect a wide array of vendors and their VPN applications.

Known Affected Products

The following products and versions store the cookie insecurely in log files:

  • Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
  • Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2

The following products and versions store the cookie insecurely in memory:

  • Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
  • Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
  • Cisco AnyConnect 4.7.x and prior

Information Disclosure & References

This vulnerability information disclosure is being tracked in CVE-2019-1573.

Further CVE information resources:

Remediation

This is a developing issue; VPN software providers are actively working on patches to address this vulnerability.

With respect to specific vendors

Palo Alto Networks VPN Client versions patched for this vulnerability:

  • GlobalProtect Agent 4.1.1 and later for Windows
  • GlobalProtect Agent 4.1.11 and later for macOS

Check Point & pfSense VPN apps are not vulnerable.

F5 Networks and Cisco have not responded or released any information.

Other authentication best practices

In addition to patching all VPN client applications and hardware with the latest available security updates from the vendor, enabling Multi Factor Authentication or One-Time Passwords as a best practice is advised.

There are no other known workarounds or mitigations for this vulnerability at this time.

About Hurricane Labs

Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.

For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.