Cyber Alert: Vulnerabilities Discovered in VPN Applications
On April 11, researchers from the Carnegie Mellon Software Institute announced security vulnerabilities in multiple virtual private network (VPN) applications. These VPN agent software programs connect users to corporate computer networks over secure internet channels.
The vulnerabilities involve the software storing login information in an insecure, non-encrypted fashion, either in temporary system memory or in log files. Attackers can locate and exploit this information to gain entry into the corporate network, impersonate the original user, and gain access to data and resources.
The reported vulnerabilities have been detected in the following software:
- Palo Alto Networks GlobalProtect™ 4.1.0 for Windows
- Palo Alto Networks GlobalProtect™ 4.1.10 and earlier for mac OSX
- Pulse Connect Secure® prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
- Cisco AnyConnect® 4.7.x and prior
ACA Aponix Guidance
ACA Aponix recommends taking the following actions regarding the VPN application vulnerabilities:
- Assess VPN agent software currently in use in your company. If your company is using one of the software agents listed above, be sure to upgrade to a version number higher than those indicated.
- If VPN agent software in use is not among the brands in use, contact the manufacturer as well as the Carnegie Mellon research organization to assess if the vulnerability applies and how to fix it.
- Consider blocking inbound VPN connections from non-compliant, outdated VPN clients, including those versions of VPN clients listed above.
- Leverage multi-factor authentication for all remote access, including VPN.
- Carefully monitor logs and intrusion detection systems for suspicious activity.
How ACA Can Help
ACA Aponix offers the following solutions that can help your company ensure strong security in light of the VPN software vulnerability:
- Cybersecurity and technology risk assessments
- Penetration testing and vulnerability assessments
- Policies, procedures, and governance
- Cyber incident response planning
- Threat intelligence
If you have any questions, please contact your ACA Aponix consultant or email us at info@acaaponix.com.