cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Clayjk
Newcomer I

Enterprise VPN Vulnerability

What does everyone make of this issue?

https://threatpost.com/authentication-bypass-bug-enterprise-vpns/143781/

Cisco and some other vendors are basically saying it’s not an issue and are not going to be “patching” their product.

Are any organizations out there taking any action on this CERT notification?
4 Replies
Pquesadaz
Newcomer II

It seems Palo Alto already accepted the vulnerability and provided remediation. Cisco was challenging the finding.

Clayjk
Newcomer I

If you look at each vendors issue Palo Alto did have some issues in that their software was writing credentials and/or tokens to log files which is unacceptable.

The part I’m grappling with is Cisco seems to have a valid point that their software stores tokens in system memory which I feel it’s fairly common to not encrypt when in memory (data-in-use). Their argument is the token is stored in secure memory which would only be accessible if the system was already compromised.
Again, feels like their stance is fairly reasonable and they are being lumped in and thrown under the bus here with other vendors that are doing some less than stellar practices (writing secrets to logs).

That said, I’m not expecting Cisco to issue a patch anytime soon but would like to look at some compensating controls to protect against VPN token reuse.
Wayne_Evans
Newcomer III

I'm in the camp of if you think this attack is a going to be a problem, then you have bigger problems you need to resolve first.  Like an actor having persistent access to the endpoint and has the ability to dump your memory and search for cookies and tokens.

They could install a keylogger and just use valid credentials.  

Doesn't mean the issue shouldn't be addressed, I think the vendors in this respect correctly triaged the issue and will fix it later down the line.  

Kind Regards,
Wayne

Clayjk
Newcomer I

I would agree. I have yet to see a CVSS score for any of these but I’d suspect they are low given this isn’t actually a RCE or privilege escalation issue.
Also, any of the vendors addressing issues are the ones that are putting values in log files or using clientless agents (web based vpn) and not marking cookies as secure which is web security 101.
Thanks for validating my thoughts.