Remote access threat: big name enterprise VPNs store cookies in memory and log files

Credit: ID 108995068 © poenya200 |

The US CERT Coordination Center (CERT/CC) has warned that several brands’ virtual private network (VPN) apps are storing session and authentication cookies in a way that gives a remote attacker access to apps in a VPN-protected session. 

The alert, published last week, draws attention to VPNs from our vendors, including Cisco, Palo Alto Networks, F5 Networks, and Pulse Secure. However CERT/CC warns that the common configuration error is probably affects other vendors too. 

An F5 Networks spokesperson contacted CSO Online to state that F5 is aware of the vulnerabilities CVE-2013-6024 and CVE-2017-6139

F5 has provided customers with guidance to mitigate CVE-2013-6024, a low severity flaw. Meanwhile, CVE-2017-6139 has been fixed in BIG-IP 12.1.3, 13.1.0 and 13.0.1. Customers should update to one of these versions. 

The company has not received reports from customers of these vulnerabilities being exploited.

“It is likely that this configuration is generic to additional VPN applications,” CERT/CC said, calling on vendors to inform it if their products contain the same error. 

The Department of Homeland security says the common flaw can be used to “take control of an affected system”.

The VPN apps known to have this problem are storing authentication and session cookies in memory or in log files, which could allow an attacker to grab a valid cookie and replay a user session (or bypass other authentication protections) to gain access to the same apps the user has through a specific VPN session.

Products that are known to be storing cookies in memory or logs include Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS (CVE-2019-1573); Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2; and Cisco AnyConnect 4.7.x and prior. 

Troublingly, CERT/CC notes notes that F5 networks knew it was insecurely storing session cookies in memory since 2013 and has not issued a patch for the problem. The company did however fix an issue caused by storing cookies in logs after learning of it in 2017.     

Cisco issued a statement dated February that its app did not write valid session cookies to log files. 

“The storage of the session cookie within process memory of the client and in cases of clientless sessions the web browser while the sessions are active are not considered to be an unwarranted exposure. These values are required to maintain the operation of the session per design of the feature should session re-establishment be required due to network interruption. We have documented the concerns and the engineering teams will incorporate this feedback into discussions for future design improvements of the Cisco AnyConnect VPN solution,” Cisco explains.

Palo Alto Networks this month released an update to address the flaw, which it said could allow an attacker to “access authentication and/or session tokens and replay them to spoof the VPN session and gain access as the user.” 

Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2 stores session cookies in memory. 

Cisco’s Talos Intelligence has separately posted an alert about several vulnerabilities in Shimo VPN, a popular VPN app for macOS systems that is used to centrally manage multiple VPN accounts. 

The app’s “helper tool” has privileged access that is installed as root. By design, the service will restart even when it is terminated and an attacker with physical access could escalate privileges on a Mac with the software installed. 

“An exploitable privilege escalation vulnerability exists in the Shimo VPN helper service in the disconnectService functionality. A non-root user is able to kill any privileged process on the system. An attacker would need local access to the machine for a successful exploit,” Cisco notes.

Cisco says it informed Shimo’s developers in September last year and received a confirmation that the vendor had received the report. Cisco followed up three times in late 2018 and once more in March 2019 before publishing its disclosure, which includes a proof of concept exploit for the flaw. 

Tags Appleciscopalo alto networksMacOSf5CERT/CC

Show Comments