VPN software programs of Palo Alto, Cisco, Pulse, and F5 don’t Store Session Cookies Securely- DHS.
A warning has been issued by the Department of Homeland Security (DHS) regarding the unreliable nature of Virtual Private Network (VPN) programmes from several well-known VPN service providers including Cisco, Palo Alto Networks, Pulse, and F5.
The problem described by the DHS in the warning notice that VPN services from these firm do not securely store session cookies and tokens, that can let cybercriminals access and gain full control of the user’s device. The warning has been issued by the Cybersecurity and Infrastructure Security Agency (CISA) of the DHS.
It is worth noting that the warning has been issued at a time when a renowned group of security researchers CERT has also notified about the presence of insecure authentication or session cookies in log files or memory of the device. In its notice, CERT researchers wrote:
If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.
This is a complete violation of the primary purpose for which VPNs are used because attackers can bypass authentication quite easily. The Common Weakness Enumeration database in CWE-311 describes that when an app, especially enterprise applications like VPNs, don’t encrypt sensitive/critical information prior to storing and transmitting it, attackers can manage to intercept and read traffic data, as well as inject malicious code/program to carry out Man-in-the-Middle (MitM) attack.
CERT also confirmed about the incapability of Cisco, F5, Pulse Secure, and Palo Alto Networks in securely storing session cookies and tokens but the problem has been fixed in the recent versions of Palo Alto VPNs and partly patched in F5 VPNs. Moreover, CERT noted that the VPNs from Checkpoint and pfSense are not affected by this flaw but the reliability of products from other 200+ VPN service providers is yet unknown.
Palo Alto Networks also released a security advisory on this issue in which it disclosed the vulnerability, which is classified as CVE-2019-1573. The company also published security updates in the GlobalProtect Agent 4.1.1 for Windows and GlobalProtect Agent 4.1.11 for macOS.
According to a statement issued by F5, the company is already aware of the issue since 2013 but has overlooked it for so long and in 2017 it fixed in the VPN versions 12.1.3 and 13.1.0 and above. F5 also issued a tip for users to prevent the issues:
“To mitigate this vulnerability, you can use a one-time password or two-factor authentication instead of password-based authentication.”
Pulse Secure has also issued a security advisory which can be accessed here.