An alert from the Carnegie Mellon University CERT Coordination Center (CERT/CC) has warned that numerous enterprise VPN clients could be vulnerable to a potentially serious security weakness that could be used to spoof access by replaying a user’s session.
Connecting to an enterprise VPN gateway made by a specific company usually requires a dedicated application designed to work with it. So far, the issue has only been confirmed in applications from 4 vendors – Palo Alto, F5 Networks, Pulse Secure, and Cisco – but others could be affected.
The problem is the surprisingly basic one – applications have been insecurely storing session and authentication cookies in memory or log files which renders them vulnerable to misuse. CERT/CC explains:
If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.
Which, if it were to happen on a network imposing no additional authentication, would be like handing over the privileges of an enterprise VPN to anyone able to get their hands on the vulnerable data.
The weakness manifests in 2 ways: cookies stored insecurely in log files and cookies stored insecurely in memory. These are the clients suffering both weaknesses:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows
- Palo Alto Networks GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
- A range of F5 Edge Client components including BIG-IP APM, BIG-IP Edge Gateway, and FirePass (CVE-2013-6024).
Furthermore, Cisco’s AnyConnect version 4.7.x and earlier stores the cookie insecurely in memory. However, the alert lists 237 vendors in total, only 3 of which are definitely not affected. Therefore, it is likely that this configuration is generic to additional VPN applications. That should be taken as a warning with red flashing lights on it that many more VPN clients might suffer the same problems.
So what are the mitigations?
Exploiting the security flaw still requires that the attacker is using the same network as the targeted VPN in order to carry out the replay attack. It’s not clear whether additional authentication would be a defense against this.
A defense that should work is to log out of sessions, thereby invalidating the stored cookie and making them worthless to anyone looking to steal them.
Beyond that, admins should apply patches where they are available. In the case of Palo Alto Networks GlobalProtect it’s version 4.1.1, while Pulse Secure has yet to respond. Cisco suggested users should always terminate sessions to refresh cookies, before adding:
The storage of the session cookie within process memory of the client and in cases of clientless sessions the web browser while the sessions are active are not considered to be an unwarranted exposure.
F5 Networks said insecure log storage was fixed in 2017 in version 12.1.3 and 13.1.0 and onwards. As for the memory storage:
F5 has been aware of the insecure memory storage since 2013 and has not yet been patched.
Admins should consult F5’s online documentation regarding this.