US warns of security flaws in enterprise VPN apps

According to Homeland Security’s cyber security department in America, several enterprise VPN apps are vulnerable to a security failure that allows a remote attacker to break into a company’s internal network.

The Cybersecurity and Infrastructure Security Agency of the United States has published a warning about this, writes TechCrunch. VPN apps from four providers – Cisco, Palo Alto Networks, Pulse Secure and F5 Networks – are vulnerable to error.

Tokens

The four apps do not properly store authentication tokens and session cookies on a user’s computer. These VPN apps are usually rolled out by a company’s IT staff, allowing employees to remotely access resources on a computer’s network.

The VPN apps generate tokens for this based on a user’s password. These tokens are stored on the user’s computer so that he or she remains logged in, without constantly having to re-enter his or her password. However, if the tokens are stolen, they may provide access to the user’s account without requiring the user’s password.

If a hacker has access to the computer, for example via malware, he can steal the tokens and use them to gain access to a computer’s network, with the same level of access as the user. In addition, the attacker also gains access to business apps, systems and data.

No patches

Palo Alto Networks has since confirmed that its GlobalProtect app was vulnerable. The company has rolled out a patch for its Windows and Mac variants. Cisco and Pulse Secure haven’t rolled out any patches yet. F5 Networks would have been aware of the problems with storing the tokens since 2013, but advised users to roll out a two-step verification instead of releasing a patch.

Hundreds of other apps may also be vulnerable to the error, but this needs further testing.