The Department of Homeland Security’s cybersecurity division is warning enterprise businesses of security flaws in popular enterprise VPN apps. The security flaws could allow attackers to remotely access companies internal networks.
The affected VPN apps are built by four enterprise vendors, Cisco, Palo Alto Networks, Pulse Secure and F5 Networks. According to Homeland Security, these apps are storing authentication tokens and session cookies on users computers incorrectly, allowing for the exploit.
UPDATED (04/15/2019): A small update to this article as F5 Networks has reached out to us with the following statement:
F5 is aware of both vulnerabilities and has issued advisories for both CVE-2013-6024and CVE-2017-6139. The severity of CVE-2013-6024 is low and F5 provided guidance to customers on how to mitigate. CVE-2017-6139 has been fixed in BIG-IP 12.1.3, 13.1.0 and 13.0.1 and customers can eliminate the vulnerability by upgrading to one of these versions. F5 has not received reports from customers of these vulnerabilities being exploited.F5 Networks spokesperson
Original Story Continued:
It’s important to note that the VPN apps in question are not built for consumers. These apps are made for business users and are implemented by IT departments. VPN apps are used frequently by businesses to access internal networks when working offsite in order to keep connections secure. So there’s no threat to consumers using any VPN app built for consumers from those particular vendors.
The apps generate tokens from a user’s password and are stored on their computer to keep the user logged in without having to reenter their password every time. But if stolen, these tokens can allow access to that user’s account without needing their password.
But with access to a user’s computer — such as through malware — an attacker could steal those tokens and use them to gain access to a company’s network with the same level of access as the user. That includes company apps, systems and data.TechCrunch
Currently, only Palo Alto networks have addressed the security flaws and have issued patches to fix. The other vendors have yet to patch the problem but they most likely will very soon.
Last Updated on February 3, 2021.