==================================================================== CERT-Renater Note d'Information No. 2019/VULN096 _____________________________________________________________________ DATE : 17/04/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VPN applications. ===================================================================== https://www.kb.cert.org/vuls/id/192371/ _____________________________________________________________________ VPN applications insecurely store session cookies Vulnerability Note VU#192371 Original Release Date: 2019-04-11 | Last Revised: 2019-04-15 Overview Multiple Virtual Private Network (VPN) applications store the authentication and/or session cookies insecurely in memory and/or log files. Description Virtual Private Networks (VPNs) are used to create a secure connection with another network over the internet. Multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files. CWE-311: Missing Encryption of Sensitive Data The following products and versions store the cookie insecurely in log files: - Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573) - Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2 The following products and versions store the cookie insecurely in memory: - Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573) - Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2 - Cisco AnyConnect 4.7.x and prior It is likely that this configuration is generic to additional VPN applications. If you believe that your organization is vulnerable, please contact CERT/CC at cert@cert.org with the affected products, version numbers, patch information, and self-assigned CVE. Impact If an attacker has persistent access to a VPN user's endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session. Solution Apply an update Palo Alto Networks GlobalProtect Agent version 4.1.1 and later for Windows and GlobalProtect Agent version 4.1.11 and later for macOS patch this vulnerability. Pulse Desktop Client and Network Connect improper handling of session cookies (CVE-2016-8201) SA44114 - 2019-04: Out-of-Cycle Advisory. CERT/CC is unaware of any patches at the time of publishing for Cisco AnyConnect. Vendor Information Affected Unknown Unaffected Cisco Notified: January 31, 2019 Updated: April 12, 2019 Statement Date: February 13, 2019 Status Affected Vendor Statement We are not aware of any situation where a currently valid session token is written to log files. The storage of the session cookie within process memory of the client and in cases of clientless sessions the web browser while the sessions are active are not considered to be an unwarranted exposure. These values are required to maintain the operation of the session per design of the feature should session re-establishment be required due to network interruption. We have documented the concerns and the engineering teams will incorporate this feedback into discussions for future design improvements of the Cisco AnyConnect VPN solution. It should also be noted that all session material stored by both the Client and Clientless solutions are destroyed once the sessions is deliberately terminated by Vendor Information We are not aware of further vendor information regarding this vulnerability. F5 Networks, Inc. Notified: January 31, 2019 Updated: April 11, 2019 Status Affected Vendor Statement No statement is currently available from the vendor regarding this vulnerability. Vendor Information F5 has been aware of the insecure memory storage since 2013 and has not yet been patched. More information can be found here https://support.f5.com/csp/article/K14969. They have been aware of the insecure log storage since 2017 and fixed it in version 12.1.3 and 13.1.0 and onwards. More information can be found here https://support.f5.com/csp/article/K45432295 Palo Alto Networks Notified: January 31, 2019 Updated: April 11, 2019 Status Affected Vendor Statement No statement is currently available from the vendor regarding this vulnerability. Vendor Information CVE-2019-1573 Update to GlobalProtect Agent 4.1.1 and later for Windows, and GlobalProtect Agent 4.1.11 and later for macOS. Vendor References https://securityadvisories.paloaltonetworks.com/Home/Detail/146 Pulse Secure Notified: January 31, 2019 Updated: April 15, 2019 Statement Date: April 13, 2019 Status Affected Vendor Statement SA44114 - 2019-04: Out-of-Cycle Advisory: Pulse Desktop Client and Network Connect improper handling of session cookies (CVE-2016-8201) Vendor Information We are not aware of further vendor information regarding this vulnerability. Vendor References https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44114/ Check Point Software Technologies Notified: January 31, 2019 Updated: April 01, 2019 Status Not Affected Vendor Statement No statement is currently available from the vendor regarding this vulnerability. Vendor Information We are not aware of further vendor information regarding this vulnerability. LANCOM Systems GmbH Notified: April 11, 2019 Updated: April 12, 2019 Statement Date: April 12, 2019 Status Not Affected Vendor Statement No statement is currently available from the vendor regarding this vulnerability. Vendor Information LANCOM products are not affected by this vulnerability because session cookies are not used. Vendor References https://www.lancom-systems.com/service-support/instant-help/general-security-information/#c166517 pfSense Notified: January 31, 2019 Updated: April 01, 2019 Status Not Affected Vendor Statement No statement is currently available from the vendor regarding this vulnerability. Vendor Information We are not aware of further vendor information regarding this vulnerability. 3com Inc Notified: January 31, 2019 Updated: January 31, 2019 Status Unknown Vendor Statement No statement is currently available from the vendor regarding this vulnerability. Vendor Information We are not aware of further vendor information regarding this vulnerability. A10 Networks Notified: January 31, 2019 Updated: January 31, 2019 Status Unknown Vendor Statement No statement is currently available from the vendor regarding this vulnerability. Vendor Information We are not aware of further vendor information regarding this vulnerability. ACCESS Notified: January 31, 2019 Updated: January 31, 2019 Status Unknown Vendor Statement No statement is currently available from the vendor regarding this vulnerability. Vendor Information We are not aware of further vendor information regarding this vulnerability. View all 237 vendors CVSS Metrics Group Score Vector Base 5.7 AV:L/AC:L/Au:S/C:C/I:P/A:P Temporal 4.5 E:POC/RL:OF/RC:C Environmental 4.5 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND References https://securityadvisories.paloaltonetworks.com/Home/Detail/146 https://vuldb.com/?id.133258 https://cwe.mitre.org/data/definitions/311.html https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44114/ Credit Thanks to the National Defense ISAC Remote Access Working Group for reporting this vulnerability. This document was written by Madison Oliver. Other Information CVE IDs: CVE-2019-1573, CVE-2016-8201 Date Public: 2019-04-10 Date First Published: 2019-04-11 Date Last Updated: 2019-04-15 16:46 UTC Document Revision: 55 Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================