Who is cookie? Is it cookie monster? Multiple VPN applications insecurely store session cookies – 11th Apr 2019

Preface: Who is cookie? Is it cookie monster? Multiple VPN applications insecurely store session cookies – 11th Apr 2019

Technical background: An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user’s web browser. The browser may store it and send it back with the next request to the same server. Typically, it’s used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.

Vulnerability details: The following products and versions store the cookie insecurely in memory:

  • Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
  • Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
  • Cisco AnyConnect 4.7.x and prior

Reference: https://kb.cert.org/vuls/id/192371/

My observation: A technical limitation on Clientless SSL VPN. If SSO authentication implement to clientless ssl VPN. The webbase VPN machine must keeps the cookie on behalf of the user and uses it to authenticate the user to secure websites within the domain protected by the SSO server. And therefore VPN applications might store the authentication and/or session cookies insecurely in memory.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.