Authentication Bypass Bug Hits Top Enterprise VPNs

Business users of Cisco, F5 Networks, Palo Alto Networks and Pulse Secure platforms are impacted, according the U.S. government.


VPN apps built by four vendors — Cisco, F5 Networks, Palo Alto Networks and Pulse Secure — improperly store authentication tokens and session cookies without encryption on a user’s computer, according to an alert from the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA).

That means that attackers with local access to user’s computer can access authentication and/or session tokens and replay them to spoof the VPN session and gain access as the user.

The warning, issued Friday, comes after a public disclosure by CERT/CC, the vulnerability disclosure center at Carnegie Mellon University.

VPNs are used to create a secure connection with another network over the internet by creating an encrypted tunnel between point A and point B. However, multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files.

“If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods,” explained the Carnegie-Mellon advisory. “An attacker would then have access to the same applications that the user does through their VPN session.”

Two of the platforms store the cookies insecurely in log files and in memory: Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573); Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6 and 9.0R2; and Edge Client components in F5 BIG-IP APM 11.4.1 and before, BIG-IP Edge Gateway 11.3 and prior, and FirePass 7.0 and prior (CVE-2013-6024).

In addition, Cisco AnyConnect 4.7.x and prior stores the cookie incorrectly in memory, according to the advisory.

There may be other affected platforms: “It is likely that this configuration is generic to additional VPN applications,” the Carnegie-Mellon team said.

Dan Tuchler, CMO of SecurityFirst, said in an email that “these are enterprise-grade VPNs from leading vendors, used to ensure that only legitimate users can access corporate assets, and they can be compromised. This is further evidence that the notion of a secure perimeter is obsolete, and a zero-trust model must be used. Once the intruder is within the company’s network and begins to probe for valuable assets, it is imperative to protect the data – by encrypting it, enforcing access policies, and reporting any violations. The idea of a secure perimeter wall around the network is now an aging fairy tale.”

Palo Alto Networks GlobalProtect version 4.1.1 patches this vulnerability; and F5 fixed the insecure log storage in 2017, in version 12.1.3 and 13.1.0 and onwards. Pulse Secure Connect Secure has fixed the vulnerability in the latest Pulse Desktop Client and Network Connect product.

F5 has been aware of the insecure memory storage since 2013 but has not yet patched that side, Carnegie-Mellon said. No patches appear to be available yet for Cisco AnyConnect.

F5 issued a statement to Threatpost:

“F5 is aware of both vulnerabilities and has issued advisories for both CVE-2013-6024 and CVE-2017-6139. The severity of CVE-2013-6024 is low and F5 provided guidance to customers on how to mitigate. CVE-2017-6139 has been fixed in BIG-IP 12.1.3, 13.1.0 and 13.0.1 and customers can eliminate the vulnerability by upgrading to one of these versions. F5 has not received reports from customers of these vulnerabilities being exploited.”

For its part, Cisco issued a statement to Carnegie-Mellon on the issue:

“We are not aware of any situation where a currently valid session token is written to log files.

“The storage of the session cookie within process memory of the client and in cases of clientless sessions the web browser while the sessions are active are not considered to be an unwarranted exposure. These values are required to maintain the operation of the session per design of the feature should session re-establishment be required due to network interruption. We have documented the concerns and the engineering teams will incorporate this feedback into discussions for future design improvements of the Cisco AnyConnect VPN solution.

“It should also be noted that all session material stored by both the Client and Clientless solutions are destroyed once the sessions are deliberately terminated.” 

The vulnerability is medium-severity given the requirement for an attacker to compromise the user’s computer prior to spoofing the VPN session.

Still, “until the security flaw is patched, organizations using these apps ought to enable two-factor authentication to connect to the VPN,” advised Paul Bischoff, privacy advocate with, via email. “That way, even if a hacker manages to compromise a security token, they still won’t be able to access the company’s network and resources.”

This story was updated at 3:30 p.m. ET on April 15, with a statement from F5, and at 10:40 a.m. April 16 with patch information from Pulse Secure.

Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.

A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.




Suggested articles