Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Clayjk
Newcomer I
‎04-15-2019 08:41 PM
‎04-15-2019 08:41 PM

Enterprise VPN Vulnerability

What does everyone make of this issue?

https://threatpost.com/authentication-bypass-bug-enterprise-vpns/143781/

Cisco and some other vendors are basically saying it’s not an issue and are not going to be “patching” their product.

Are any organizations out there taking any action on this CERT notification?
Reply
4 Replies
Pquesadaz
Newcomer II
‎04-16-2019 02:51 AM
‎04-16-2019 02:51 AM

It seems Palo Alto already accepted the vulnerability and provided remediation. Cisco was challenging the finding.

Reply
0 Kudos
Clayjk
Newcomer I
‎04-16-2019 09:20 AM
‎04-16-2019 09:20 AM

If you look at each vendors issue Palo Alto did have some issues in that their software was writing credentials and/or tokens to log files which is unacceptable.

The part I’m grappling with is Cisco seems to have a valid point that their software stores tokens in system memory which I feel it’s fairly common to not encrypt when in memory (data-in-use). Their argument is the token is stored in secure memory which would only be accessible if the system was already compromised.
Again, feels like their stance is fairly reasonable and they are being lumped in and thrown under the bus here with other vendors that are doing some less than stellar practices (writing secrets to logs).

That said, I’m not expecting Cisco to issue a patch anytime soon but would like to look at some compensating controls to protect against VPN token reuse.
Reply
0 Kudos
Wayne_Evans
Newcomer III
‎04-17-2019 10:33 AM
‎04-17-2019 10:33 AM

I'm in the camp of if you think this attack is a going to be a problem, then you have bigger problems you need to resolve first.  Like an actor having persistent access to the endpoint and has the ability to dump your memory and search for cookies and tokens.

They could install a keylogger and just use valid credentials.  

Doesn't mean the issue shouldn't be addressed, I think the vendors in this respect correctly triaged the issue and will fix it later down the line.  

Kind Regards,
Wayne

Reply
Clayjk
Newcomer I
‎04-17-2019 05:28 PM
‎04-17-2019 05:28 PM

I would agree. I have yet to see a CVSS score for any of these but I’d suspect they are low given this isn’t actually a RCE or privilege escalation issue.
Also, any of the vendors addressing issues are the ones that are putting values in log files or using clientless agents (web based vpn) and not marking cookies as secure which is web security 101.
Thanks for validating my thoughts.
Reply
0 Kudos