Corporate VPN Clients: Vulnerabilities Uncovered and Solutions Revealed

Palo Alto Networks Vulnerability

Researchers have recently unearthed critical vulnerabilities in the update mechanisms of two major corporate VPN clients, Palo Alto Networks’ GlobalProtect App and SonicWall’s NetExtender VPN client. These vulnerabilities, coded as CVE-2024-5921 and CVE-2024-29014 respectively, have the potential to be exploited by malicious actors to remotely execute code on users’ devices, posing a serious threat to cybersecurity.

Palo Alto Networks: GlobalProtect App

The CVE-2024-5921 vulnerability impacts various versions of Palo Alto’s GlobalProtect App on Windows, macOS, and Linux. The flaw arises from insufficient certification validation, enabling attackers to connect the GlobalProtect app to arbitrary servers. This connection could lead to the installation of malicious root certificates on the endpoint, subsequently allowing the installation of malicious software signed by these certificates.

According to researchers Richard Warren and David Cash from AmberWolf, both the Windows and macOS versions of the GlobalProtect VPN client are vulnerable to remote code execution (RCE) and privilege escalation through the automatic update mechanism. Despite the update process requiring MSI files to be signed, attackers can exploit the PanGPS service to install a maliciously trusted root certificate, facilitating the execution of RCE and privilege escalation.

Palo Alto has addressed this issue in the GlobalProtect app version 6.2.6 and later on Windows. Additionally, the company has introduced a new configuration parameter (FULLCHAINCERTVERIFY) to enforce stricter certificate validation against the system’s trusted certificate store. However, there are currently no fixes available for the macOS or Linux versions of the app, as per PAN’s security advisory.

As a workaround, users can enable FIPS-CC mode for the GlobalProtect app on endpoints and the GlobalProtect portal/gateway. Moreover, implementing host-based firewall rules can prevent users from connecting to malicious VPN servers, thereby reducing the risk of exploitation.

SonicWall Vulnerability

The CVE-2024-29014 vulnerability affects SonicWall’s NetExtender VPN client for Windows versions 10.2.339 and earlier. This vulnerability allows attackers to execute code with SYSTEM privileges during the processing of an End Point Control (EPC) Client update due to insufficient signature validation.

Researchers at AmberWolf have identified several exploitation scenarios for this vulnerability. For instance, attackers can trick users into connecting their NetExtender client to a malicious VPN server and install a fake EPC Client update. Additionally, with the installation of the SMA Connect Agent, attackers can exploit a custom URI handler to compel the NetExtender client to connect to their server through a simple user interaction, such as visiting a malicious website or opening a malicious document.

SonicWall has released patches to address this vulnerability in NetExtender Windows 10.2.341 and later versions, urging users to upgrade promptly. In cases where an immediate upgrade is not feasible, users are advised to use a client firewall to restrict access to known legitimate VPN endpoints, preventing inadvertent connections to malicious servers.

Understanding the Risk: NachoVPN Tool

The researchers behind these findings emphasized the critical importance of VPN clients for secure remote access. However, they also highlighted the significant attack surface presented by the elevated system privileges of these tools. To aid in comprehending these risks, the researchers have developed NachoVPN, an open-source tool designed to simulate rogue VPN servers capable of exploiting vulnerabilities in VPN clients.

In conclusion, the discovery of these vulnerabilities in corporate VPN clients underscores the ongoing challenges in maintaining robust cybersecurity defenses. It serves as a reminder for organizations and individuals alike to remain vigilant, implement necessary security measures, and stay informed about potential threats to safeguard their digital assets and privacy.