Homeland Security warns of security flaws in enterprise VPN apps
A number of enterprise digital personal networking apps are susceptible to a safety bug that may enable an attacker to remotely break into an organization’s inside community, in line with a warning issued by Homeland Safety’s cybersecurity division.
An alert was published Friday by the federal government’s Cybersecurity and Infrastructure Safety Company following a public disclosure by CERT/CC, the vulnerability disclosure heart at Carnegie Mellon College.
The VPN apps constructed by 4 distributors — Cisco, Palo Alto Networks, Pulse Safe, and F5 Networks — improperly retailer authentication tokens and session cookies on a consumer’s laptop. These aren’t your conventional client VPN apps used to guard your privateness, however enterprise VPN apps which are usually rolled out by an organization’s IT employees to permit distant employees to entry assets on an organization’s community.
The apps generate tokens from a consumer’s password and saved on their laptop to maintain the consumer logged in with out having to reenter their password each time. But when stolen, these tokens can enable entry to that consumer’s account without having their password.
However with entry to a consumer’s laptop — similar to by means of malware — an attacker may steal these tokens and use them to realize entry to an organization’s community with the identical stage of entry because the consumer. That features firm apps, programs and knowledge.
Up to now, solely Palo Alto Networks has confirmed its GlobalProtect app was susceptible. The corporate issued a patch for each its Home windows and Mac shoppers.
Neither Cisco nor Pulse Safe have patched their apps. F5 Networks is alleged to have identified about storing since at least 2013 however suggested customers to roll out two-factor authentication as a substitute of releasing a patch.
CERT warned that lots of of different apps might be affected — however extra testing was required.