cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Newcomer I

Enterprise VPN Vulnerability

What does everyone make of this issue?

https://threatpost.com/authentication-bypass-bug-enterprise-vpns/143781/

Cisco and some other vendors are basically saying it’s not an issue and are not going to be “patching” their product.

Are any organizations out there taking any action on this CERT notification?
1 Solution

Accepted Solutions
Newcomer III

Re: Enterprise VPN Vulnerability

I'm in the camp of if you think this attack is a going to be a problem, then you have bigger problems you need to resolve first.  Like an actor having persistent access to the endpoint and has the ability to dump your memory and search for cookies and tokens.

They could install a keylogger and just use valid credentials.  

Doesn't mean the issue shouldn't be addressed, I think the vendors in this respect correctly triaged the issue and will fix it later down the line.  

Kind Regards,
Wayne

4 Replies
Newcomer II

Re: Enterprise VPN Vulnerability

It seems Palo Alto already accepted the vulnerability and provided remediation. Cisco was challenging the finding.

Newcomer I

Re: Enterprise VPN Vulnerability

If you look at each vendors issue Palo Alto did have some issues in that their software was writing credentials and/or tokens to log files which is unacceptable.

The part I’m grappling with is Cisco seems to have a valid point that their software stores tokens in system memory which I feel it’s fairly common to not encrypt when in memory (data-in-use). Their argument is the token is stored in secure memory which would only be accessible if the system was already compromised.
Again, feels like their stance is fairly reasonable and they are being lumped in and thrown under the bus here with other vendors that are doing some less than stellar practices (writing secrets to logs).

That said, I’m not expecting Cisco to issue a patch anytime soon but would like to look at some compensating controls to protect against VPN token reuse.
Newcomer III

Re: Enterprise VPN Vulnerability

I'm in the camp of if you think this attack is a going to be a problem, then you have bigger problems you need to resolve first.  Like an actor having persistent access to the endpoint and has the ability to dump your memory and search for cookies and tokens.

They could install a keylogger and just use valid credentials.  

Doesn't mean the issue shouldn't be addressed, I think the vendors in this respect correctly triaged the issue and will fix it later down the line.  

Kind Regards,
Wayne

Newcomer I

Re: Enterprise VPN Vulnerability

I would agree. I have yet to see a CVSS score for any of these but I’d suspect they are low given this isn’t actually a RCE or privilege escalation issue.
Also, any of the vendors addressing issues are the ones that are putting values in log files or using clientless agents (web based vpn) and not marking cookies as secure which is web security 101.
Thanks for validating my thoughts.