CERT Vulnerability Note VU#192371 released this week describes a vulnerability due to insecure Cookie or Authentication Token storage (in memory or log files) of several common VPNs. The vulnerability allows attackers able to either access an endpoint, or exfiltrate data from it, to replay sessions bypassing other authentication methods, thus gaining access to any resources the user can access through the VPN session.
Vulnerable vendors include
CISCO - "will incorporate this feedback into discussions for future design improvements of the Cisco AnyConnect VPN Solution"
F5 Networks, Inc - fixed it in version 12.1.3 and 13.1.0 and onwards
Palo Alto Networks - fixed in GlobalProtect Agent 4.1.1 and later for Windows, and GlobalProtect Agent 4.1.11 and later for macOS.
Pulse Secure - no statement yet
Known unaffected VPN vendors
Check Point Software Technologies
LANCOM Systems GMBH
pfSense
(Information is not yet available on an additional 230 vendors)
(Score: 5, Interesting) by Anonymous Coward on Sunday April 14 2019, @01:48PM (3 children)
I started to use pfSense very long time ago, by only curiosity. And must admit, it was an initiator which in a span of couple years actually made me wanting FreeBSD on all of my network equipment, including servers and lately, even desktops. For pure technical reasons, like uptime robustness or ipv6 stack quality, or a true filesystem, not because of any ideology. So it came to pass, I used to use all kinds of Linux contraptions for 17 years in total, but now none of them.
(disclaimer: my 18cm beard is now a serious BSD bias indicator)
(Score: 0) by Anonymous Coward on Sunday April 14 2019, @02:30PM (1 child)
I also prefer *BSD, and always have even from the 'net' days, but video drivers is a killer. Forces many of us into Linux-land.
(Score: -1, Offtopic) by Anonymous Coward on Sunday April 14 2019, @02:34PM
test response
(Score: 4, Interesting) by crafoo on Sunday April 14 2019, @02:55PM
yep, pfsense is pretty nice. I got into it about the same way - tried it out on a router. No issues with it for years, and it has VPN setup as well as DNS and a few other nice features configured. FreeNAS is pretty decent too and is BSD. I tried a few desktop BSD distributions and they seem alright, but the video situation is not that great as you mentioned. I have another little box with SVN and some random web server stuff on it too. One thing I really like - the BSD documentation is pretty good.