Stories
Slash Boxes
Comments

SoylentNews is people

Multiple VPNs Subject to Compromise

posted by Fnord666 on Sunday April 14 2019, @12:33PM   Printer-friendly
from the good-luck,-I'm-behind-7-vpns dept.

RandomFactor writes:

CERT Vulnerability Note VU#192371 released this week describes a vulnerability due to insecure Cookie or Authentication Token storage (in memory or log files) of several common VPNs. The vulnerability allows attackers able to either access an endpoint, or exfiltrate data from it, to replay sessions bypassing other authentication methods, thus gaining access to any resources the user can access through the VPN session.

Vulnerable vendors include

    CISCO - "will incorporate this feedback into discussions for future design improvements of the Cisco AnyConnect VPN Solution"
    F5 Networks, Inc - fixed it in version 12.1.3 and 13.1.0 and onwards
    Palo Alto Networks - fixed in GlobalProtect Agent 4.1.1 and later for Windows, and GlobalProtect Agent 4.1.11 and later for macOS.
    Pulse Secure - no statement yet

Known unaffected VPN vendors

    Check Point Software Technologies
    LANCOM Systems GMBH
    pfSense

(Information is not yet available on an additional 230 vendors)

Original Submission

 
This discussion has been archived. No new comments can be posted.
Multiple VPNs Subject to Compromise | Log In/Create an Account | Top | 12 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2, Interesting) by RandomFactor on Sunday April 14 2019, @02:33PM (2 children)

    by RandomFactor (3682) Subscriber Badge on Sunday April 14 2019, @02:33PM (#829374) Journal

    While the response is weak from Cisco (it's worse if you read the underlying article), I would be surprised if they charge any extra for a future rev to AnyConnect.

    My involvement with Cisco tends to be indirect at best though, so if charging for routine revs is SOP i'll stand corrected.

    --
    В «Правде» нет известий, в «Известиях» нет правды
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Total Score:   2  

  • (Score: 2) by jmorris on Sunday April 14 2019, @08:47PM (1 child)

    by jmorris (4844) on Sunday April 14 2019, @08:47PM (#829481)

    Well you don't pay for the patches with Cisco, you pay for the maintenance agreement and it just happens to be the only way to get patches. Nah, they wouldn't dream of selling defective products and forcing customers to pay them to fix the defects. That would be immoral.

    • (Score: 2) by Freeman on Monday April 15 2019, @03:33PM

      by Freeman (732) on Monday April 15 2019, @03:33PM (#829875) Journal

      At least they assume, something's going to go wrong and are upfront about the likelihood that you're going to need support. I would say it's a much better solution than the alternative (It doesn't work? Time to get a new one.) approach.

      --
      Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"