Preface: Who is cookie? Is it cookie monster? Multiple VPN applications insecurely store session cookies – 11th Apr 2019
Technical background: An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user’s web browser. The browser may store it and send it back with the next request to the same server. Typically, it’s used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.
Vulnerability details: The following products and versions store the cookie insecurely in memory:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
- Cisco AnyConnect 4.7.x and prior
My observation: A technical limitation on Clientless SSL VPN. If SSO authentication implement to clientless ssl VPN. The webbase VPN machine must keeps the cookie on behalf of the user and uses it to authenticate the user to secure websites within the domain protected by the SSO server. And therefore VPN applications might store the authentication and/or session cookies insecurely in memory.