Security Advisory Regarding the Vulnerability Affecting Popular VPN Apps
An alert has been issued by DHS/CISA regarding an exploit found in popular enterprise VPN applications caused by insecure storage of authentication and session cookies that could lead to authentication bypass (and replay attacks if the attacker has persistent access to the VPN endpoint). It is noted that this may be a generic configuration that is not unique to vendors specializing in large deployments of enterprise VPN software and devices, and could affect a wide array of vendors and their VPN applications.
Known Affected Products
The following products and versions store the cookie insecurely in log files:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
The following products and versions store the cookie insecurely in memory:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
- Cisco AnyConnect 4.7.x and prior
Information Disclosure & References
This vulnerability information disclosure is being tracked in CVE-2019-1573.
Further CVE information resources:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1573
- https://www.kb.cert.org/vuls/id/192371/
- https://www.us-cert.gov/ncas/current-activity/2019/04/12/Vulnerability-Multiple-VPN-Applications
- https://www.bleepingcomputer.com/news/security/multiple-enterprise-vpn-apps-allow-attackers-to-bypass-authentication/
Remediation
This is a developing issue; VPN software providers are actively working on patches to address this vulnerability.
With respect to specific vendors
Palo Alto Networks VPN Client versions patched for this vulnerability:
- GlobalProtect Agent 4.1.1 and later for Windows
- GlobalProtect Agent 4.1.11 and later for macOS
Check Point & pfSense VPN apps are not vulnerable.
F5 Networks and Cisco have not responded or released any information.
Other authentication best practices
In addition to patching all VPN client applications and hardware with the latest available security updates from the vendor, enabling Multi Factor Authentication or One-Time Passwords as a best practice is advised.
There are no other known workarounds or mitigations for this vulnerability at this time.
About Hurricane Labs
Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.
For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.
