Marketing

Gov’t warns on VPN security bug in Cisco, Palo Alto, F5, Pulse software

The Department of Homeland Security has issued a warning that some VPN packages from Cisco, Palo Alto, F5 and Pusle may improperly secure tokens and cookies, allowing nefarious actors an opening to invade and take control over an end user’s system. 

The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) warning comes on the heels of a notice from Carnegie Mellon’s CERT that multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files.

“If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods,” CERT wrote. “An attacker would then have access to the same applications that the user does through their VPN session.”

According to the CERT warning, the following products and versions store the cookie insecurely in log files:

  • Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
  • Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2.