Enterprise VPN Apps Store Authentication and Session Cookies Insecurely

Updated on: 14 April 2019
Updated on: 14 April 2019

VPNs are at the height of their popularity nowadays, and anyone who wants to be anonymous on the internet will eventually subscribe to one. Its security and encryption protocols will guarantee your privacy.

But is that really true?

Does the zero-logging policy enforced by most premium VPNs really ensure that your data isn’t leaked to the outside?

The Carnegie Mellon University CERT Coordination Center has found out that four enterprise VPN apps store the authentication and session cookies insecurely. More specifically, they are stored in memory or log files.

And these session cookies are completely unencrypted, left to the mercy of anyone smart enough to realize their significance. There’s plenty of room for cyber-warfare here.

The National Defense ISAC Remote Access Working Group backed up this information and released information regarding these phantom log-files.

We’re talking about VPN apps devised by four vendors:

  • Cisco
  • Palo Alto Networks
  • Pulse Secure
  • F5 Networks

1. Enterprise VPNs not to be trusted?

The problem would have been slightly less worrying if we were talking about normal VPNs. But these are enterprise online security providers used by companies, by countless IT teams working with massive servers.

The company’s resources are being rerouted through the encrypted networks, with the staff accessing it on a daily basis. If the VPNs protecting such companies would suffer from leaks and these session cookies were hacked by someone, the losses would be immense.

Just imagine that a company overseeing donation campaigns were to have its databases hacked. That person would have access to the names of all the donors, their banking information, and other confidential data.

All because of some session cookies stored in an insecure location and left unencrypted. These apps automatically generate tokens that contain the log-in information of any user’s password so they no longer have to reenter their password any time they access that service.

These tokens, once used, would provide access to that specific account without the need for a password.

2. What VPN apps are vulnerable?

The CVE-2019-1573, the flaw in question, has been found in as many as 4 VPN apps:

  • Cisco AnyConnect 4.7x and all prior versions
  • Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows
  • Palo Alto Networks GlobalProtect Agent 4.1.10 and earlier for the macOS
  • Pulse Secure Connect Secure all the way to 8.1R14, 8.2, 8.3R6, and 9.0R2

Palo Alto Networks immediately acknowledged this chink in their security and released an update for the affected apps.

As for Pulse Secure and Cisco, they haven’t released any public statements as of yet. F5 Networks, on the other hand, simply says that if you’re using a vulnerable version, you can simply upgrade or downgrade to a safe one.

These weaknesses can be easily exploited by a hacker with access to the computer, or if he is running malware on the device. Both of these methods can lead to the extraction of these cookies.

In the end, they will provide the hacker with access to the VPN’s previous sessions’ information. In the case of enterprise VPNs, we’re talking about unrestricted access to a company’s internal network and databases.

3. What other VPN apps store these cookies?

CERT/CC specifically states this – “It is likely that this configuration is generic to additional VPN applications”, while also listing more than 230 VPN vendors under suspicion.

Check Point Software Technologies, LANCOM Systems Gmbh, and pfSense have been tested and were found to be safe. They aren’t storing these session cookies.

As for the rest, however, there is no data available. For safety reasons, we might as well assume that they are vulnerable to exploitation, and be vigilant. Until the contrary is proven, it’s best to keep safe.

The VPN industry has been struck a heavy blow with this revelation, and many are going to take a plunge downward if they don’t offer proper explanations for the vulnerability.

The affected VPN apps are bound to be patched and secured. This is of the utmost importance, especially now that cyber-warfare has advanced as much as it did. If the IT experts were able to pinpoint these authentication and session cookies, shouldn’t we assume that a lucky hacker stumbled upon them as well?

4. How to make sure your VPN is good

This news shouldn’t be exaggerated either. Not all VPNs suffer from this crippling security weakness, not by a long-shot.

Generally, when choosing a VPN provider, you should pay attention to a series of factors:

  • Security and encryption protocols
  • The privacy and logging policy
  • Jurisdiction
  • IP/DNS/WebRTC leaks

Look for the premium VPNs that have built themselves a reputation based on high-quality services, professionalism, and excellence. Names like NordVPN, ExpressVPN, SurfShark, have become notorious in this industry.

For a good reason as well. They offer premium services and trustworthy guarantees. Their promises of anonymity and privacy aren’t just empty words. Instead, they are backed up by countless content customers.

Read user reviews as well as professional opinions on the matter, check a VPN’s ratings, its presence on the market, and contact their customer support to clarify any questions you might have.

Evidently, you can’t be expected to know of a VPN’s security system beforehand, and whether they have definitive protection or just a crappy brick-wall can be revealed by other customers.

Take a look at this in-depth analysis of the top 100 VPNs in the industry. It talks about its market presence, the number of searches on Google, and also the app installs and user ratings.

We shall see how these session cookies will be approached by the involved VPN vendors. One of them has already issued a patch, but the others have yet to come with a solution.

Written by: Bogdan Patru

Author, creative writer, and tech-geek. Bogdan has followed his passion for the digital world ever since he got his hands of his first pc. After years of accumulating knowledge and experience, the good Samaritan in him whispered him one day about the virtue of sharing that knowledge with those who needed it. It was 2014 when that idea would grow into a life-defining passion. One that keeps driving him to this day.

Leave a Reply

Your email address will not be published. Required fields are marked *