CERT Vulnerability Note VU#192371 released this week describes a vulnerability due to insecure Cookie or Authentication Token storage (in memory or log files) of several common VPNs. The vulnerability allows attackers able to either access an endpoint, or exfiltrate data from it, to replay sessions bypassing other authentication methods, thus gaining access to any resources the user can access through the VPN session.
Vulnerable vendors include
CISCO - "will incorporate this feedback into discussions for future design improvements of the Cisco AnyConnect VPN Solution"
F5 Networks, Inc - fixed it in version 12.1.3 and 13.1.0 and onwards
Palo Alto Networks - fixed in GlobalProtect Agent 4.1.1 and later for Windows, and GlobalProtect Agent 4.1.11 and later for macOS.
Pulse Secure - no statement yet
Known unaffected VPN vendors
Check Point Software Technologies
LANCOM Systems GMBH
pfSense
(Information is not yet available on an additional 230 vendors)
(Score: 5, Interesting) by Anonymous Coward on Sunday April 14 2019, @01:48PM (3 children)
I started to use pfSense very long time ago, by only curiosity. And must admit, it was an initiator which in a span of couple years actually made me wanting FreeBSD on all of my network equipment, including servers and lately, even desktops. For pure technical reasons, like uptime robustness or ipv6 stack quality, or a true filesystem, not because of any ideology. So it came to pass, I used to use all kinds of Linux contraptions for 17 years in total, but now none of them.
(disclaimer: my 18cm beard is now a serious BSD bias indicator)
(Score: 0) by Anonymous Coward on Sunday April 14 2019, @02:30PM (1 child)
I also prefer *BSD, and always have even from the 'net' days, but video drivers is a killer. Forces many of us into Linux-land.
(Score: -1, Offtopic) by Anonymous Coward on Sunday April 14 2019, @02:34PM
test response
(Score: 4, Interesting) by crafoo on Sunday April 14 2019, @02:55PM
yep, pfsense is pretty nice. I got into it about the same way - tried it out on a router. No issues with it for years, and it has VPN setup as well as DNS and a few other nice features configured. FreeNAS is pretty decent too and is BSD. I tried a few desktop BSD distributions and they seem alright, but the video situation is not that great as you mentioned. I have another little box with SVN and some random web server stuff on it too. One thing I really like - the BSD documentation is pretty good.
(Score: 0) by Anonymous Coward on Sunday April 14 2019, @02:28PM (3 children)
Typical Cisco.
Expect a cost for these 'future designs'.
(Score: 2, Interesting) by RandomFactor on Sunday April 14 2019, @02:33PM (2 children)
While the response is weak from Cisco (it's worse if you read the underlying article), I would be surprised if they charge any extra for a future rev to AnyConnect.
My involvement with Cisco tends to be indirect at best though, so if charging for routine revs is SOP i'll stand corrected.
В «Правде» нет известий, в «Известиях» нет правды
(Score: 2) by jmorris on Sunday April 14 2019, @08:47PM (1 child)
Well you don't pay for the patches with Cisco, you pay for the maintenance agreement and it just happens to be the only way to get patches. Nah, they wouldn't dream of selling defective products and forcing customers to pay them to fix the defects. That would be immoral.
(Score: 2) by Freeman on Monday April 15 2019, @03:33PM
At least they assume, something's going to go wrong and are upfront about the likelihood that you're going to need support. I would say it's a much better solution than the alternative (It doesn't work? Time to get a new one.) approach.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0) by Anonymous Coward on Sunday April 14 2019, @04:56PM
Of course, unless you really know what you're doing, tor is for browser only.
(Score: -1, Flamebait) by Anonymous Coward on Sunday April 14 2019, @06:35PM
if you're using a proprietary vpn you're a stupid or skanky SOB and deserve to be compromised.
(Score: 0) by Anonymous Coward on Sunday April 14 2019, @08:16PM
Either It’s secure or no one is looking at it. (Hopefully it’s the former.)
(Score: 2) by arslan on Sunday April 14 2019, @10:38PM
Reading the linked CERT vuln. I quote:
If I have access to the endpoint, any VPN is moot. If I can exfiltrate secrets from the endpoint, cookies or keys, any VPN is moot.