As an IT professional for decades, we are always highlighting the importance of VPN when it comes to maintaining security and privacy. It is the most cost-effective way to isolate a connection from prying eyes, a VPN creates a secure virtual pipe from the user’s origin device to the VPN vendor’s exit node, wherever it may be. VPN is an effective solution by users to bypass ISP restrictions, it was even an effective tool for Chinese citizens in mainland China to evade the scaled-down Internet due to the implementation of the Great Firewall.
Seems like such once great advice is about to become obsolete for those that use the enterprise VPN service offered by Cisco, Palo Alto Networks, F5 Networks, and Pulse Secure. A Man-in-the-Middle attack (MITM) vulnerability has been discovered on those mentioned VPN applications, which compelled the Cybersecurity and Infrastructure Security Agency (CISA), an office under the U.S. Department of Homeland Security to issue a warning to all its users. The affected products are Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows; GlobalProtect Agent 4.1.10 and earlier for macOS0; Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2; Cisco AnyConnect 4.7.x and prior.
The vulnerability is known under CWE-311 (Common Weakness Enumeration), described in the report as “The lack of proper data encryption passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys.” In other words, the vulnerable version of VPN software from Cisco, Palo Alto Networks, F5 Networks, and Pulse Secure do not implement the proper encryption procedure, making them akin to pretend-VPN, the users are still exposed publicly, no different from being directly connected to the Internet without a VPN subscription.
“If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session,” explained Madison Oliver from Carnegie Mellon University.
There is no assurance that other vendors are 100% in compliance with what the VPN principles are, as per the National Defense ISAC Remote Access Working Group, it will not be surprising if other VPN apps exhibit the same vulnerability. As per the agency, the VPN market is huge and very competitive with 237 brands competing for users’ attention.
Palo Alto Networks on their part urge all their users to upgrade their version of Global Protect Agent, the fixed versions are GlobalProtect Agent 4.1.1 and later for Windows and GlobalProtect Agent 4.1.11 and later for macOS. F5 Networks on its part has posted a lengthy Knowledgebase article detailing the mitigation procedures and the exact version numbers of their products that are not affected by the vulnerability.
“(We are) aware of the insecure memory storage since 2013. To mitigate this vulnerability, you can use a one-time password or two-factor authentication instead of password-based authentication. F5 would like to acknowledge Giorgio Casali and Simone Cecchini with Verizon Enterprise Solutions GCIS Threat and Vulnerability Management for their efforts in identifying this issue, and for following the highest standards of responsible disclosure,” concluded F5 Networks.