The Carnegie Mellon University CERT Coordination Center has found out that four enterprise VPN apps store the authentication and session cookies insecurely. More specifically, they are stored in memory or log files.
And these session cookies are unencrypted, left to the mercy of anyone smart enough to realize their significance. There’s plenty of room for cyber-attacks.
The National Defense ISAC Remote Access Working Group backed up this information and released information regarding these phantom log-files.
The offending VPN apps devised are:
Company data passes through these VPNs with staff accessing it on a daily basis. If VPNs protecting such companies suffer from leaks and these session cookies are hacked by someone, the losses could be immense.
Just imagine that a company overseeing donation campaigns were to have its databases hacked. An attacker could gain access to highly sensitive data about donors.
All because of some session cookies stored in an insecure location and left unencrypted. These apps automatically generate tokens that make using the systems easier, such as log-in information of any user’s password so they no longer have to reenter their password any time they access that service.
The CVE-2019-1573, the flaw in question, has been found in as many as 4 VPN apps:
Palo Alto Networks immediately acknowledged this chink in their security and released an update for the affected apps.
As for Pulse Secure and Cisco, they haven’t released any public statements as of yet. F5 Networks, on the other hand, simply says that if you’re using a vulnerable version, you can simply upgrade or downgrade to a safe one.
CERT/CC specifically states this – “It is likely that this configuration is generic to additional VPN applications”, while also listing more than 230 VPN vendors under suspicion.
Check Point Software Technologies, LANCOM Systems Gmbh, and pfSense have been tested and were found to be safe. They aren’t storing these session cookies.
As for the rest, however, there is no data available. For safety reasons, we might as well assume that they are vulnerable to exploitation, and be vigilant. Until the contrary is proven, it’s best to keep safe.
The cybersecurity industry has been struck a heavy blow with this revelation, and many are going to take a plunge downward if they don’t offer proper explanations for the vulnerability.
The affected VPN apps are bound to be patched and secured. If the experts were able to pinpoint these authentication and session cookies, shouldn’t we assume that a lucky hacker stumbled upon them as well?