Enterprise VPN apps store authentication and session cookies insecurely

CVE-2019-1573, a flaw that makes VPN applications store the authentication and/or session cookies insecurely (i.e. unencrypted) in memory and/or log files, affects a yet to be determined number of enterprise Virtual Private Network (VPN) applications.

“If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods,” Carnegie Mellon University’s CERT Coordination Center (CERT/CC) explained. “An attacker would then have access to the same applications that the user does through their VPN session.”

This means that an attacker with access to the computer, usually through malware, can use the cookies to resume the target’s VPN sessions from another machine.

If the VPN application is used by the target to access their company’s internal networks and assets, the attacker will gain the same ability without the need to compromise and use valid credentials.

Which apps are affected?

The existence of CVE-2019-1573 was discovered by the National Defense ISAC Remote Access Working Group and it’s known to affect several apps:

• Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS
• Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
• Cisco AnyConnect 4.7.x and prior.

Some of F5 Network’s VPN software also apparently stores that sensitive information in memory, but not in the logs.

CERT/CC says that it’s possible and likely that this vulnerable configuration is generic to additional VPN applications, and lists another 230+ vendors whose products might be affected.

As of now, Check Point’s and pfSense’s offerings have been confirmed not to be affected.

Palo Alto Networks has released Palo Alto Networks GlobalProtect version 4.1.1 that patches this vulnerability.