Department of Homeland Security Warns on VPN Security

VPN packages from Cisco, Palo Alto, F5, and Pulse may improperly store tokens and cookies, which may let cybercriminals to invade and take control over an end user’s system, this news was alerted by the Department of Homeland security.

The warning comes after a notice from Carnegie Mellon's CERT that multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files.“If an attacker has persistent access to a VPN user's endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods,” CERT wrote.

“An attacker would then have access to the same applications that the user does through their VPN session.”It is to be noted that some of the VPN packages are subjected to house tokens and cookies, and CERT mentioned the following products and versions regarding the same:

Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2.

The following products and versions store the cookie insecurely in memory:Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0.Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2.Cisco AnyConnect 4.7.x and prior.