Enterprise VPN Apps Store Authentication and Session Cookies Insecurely

Updated on: 24 June 2019
Updated on:24 June 2019

The Carnegie Mellon University CERT Coordination Center has found out that four enterprise VPN apps store the authentication and session cookies insecurely. More specifically, they are stored in memory or log files.

And these session cookies are unencrypted, left to the mercy of anyone smart enough to realize their significance. There’s plenty of room for cyber-attacks.

The National Defense ISAC Remote Access Working Group backed up this information and released information regarding these phantom log-files.

The offending VPN apps devised are:

  • Cisco
  • Palo Alto Networks
  • Pulse Secure
  • F5 Networks

Enterprise VPNs not to be trusted?

Company data passes through these VPNs with staff accessing it on a daily basis. If VPNs protecting such companies suffer from leaks and these session cookies are hacked by someone, the losses could be immense.

Just imagine that a company overseeing donation campaigns were to have its databases hacked. An attacker could gain access to highly sensitive data about donors.

All because of some session cookies stored in an insecure location and left unencrypted. These apps automatically generate tokens that make using the systems easier, such as log-in information of any user’s password so they no longer have to reenter their password any time they access that service.

What VPN apps are vulnerable?

The CVE-2019-1573, the flaw in question, has been found in as many as 4 VPN apps:

  • Cisco AnyConnect 4.7x and all prior versions
  • Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows
  • Palo Alto Networks GlobalProtect Agent 4.1.10 and earlier for the macOS
  • Pulse Secure Connect Secure all the way to 8.1R14, 8.2, 8.3R6, and 9.0R2

Palo Alto Networks immediately acknowledged this chink in their security and released an update for the affected apps.

As for Pulse Secure and Cisco, they haven’t released any public statements as of yet. F5 Networks, on the other hand, simply says that if you’re using a vulnerable version, you can simply upgrade or downgrade to a safe one.

What other VPN apps store these cookies?

CERT/CC specifically states this – “It is likely that this configuration is generic to additional VPN applications”, while also listing more than 230 VPN vendors under suspicion.

Check Point Software Technologies, LANCOM Systems Gmbh, and pfSense have been tested and were found to be safe. They aren’t storing these session cookies.

As for the rest, however, there is no data available. For safety reasons, we might as well assume that they are vulnerable to exploitation, and be vigilant. Until the contrary is proven, it’s best to keep safe.

The cybersecurity industry has been struck a heavy blow with this revelation, and many are going to take a plunge downward if they don’t offer proper explanations for the vulnerability.

The affected VPN apps are bound to be patched and secured. If the experts were able to pinpoint these authentication and session cookies, shouldn’t we assume that a lucky hacker stumbled upon them as well?

Written by: Bogdan Patru

Author, creative writer, and tech-geek. Bogdan has followed his passion for the digital world ever since he got his hands of his first pc. After years of accumulating knowledge and experience, the good Samaritan in him whispered him one day about the virtue of sharing that knowledge with those who needed it. It was 2014 when that idea would grow into a life-defining passion. One that keeps driving him to this day.

Leave a Reply

Your email address will not be published. Required fields are marked *