TECHNOLOGY

Several enterprise virtual private networking apps are vulnerable to a security bug that can allow an attacker to remotely break into a company’s internal network, according to a warning issued by Homeland Security’s cybersecurity division.

An alert was published Friday by the government’s Cybersecurity and Infrastructure Security Agency following a public disclosure by CERT/CC, the vulnerability disclosure center at Carnegie Mellon University.

The VPN apps built by four vendors — Cisco, Palo Alto Networks, Pulse Secure, and F5 Networks — improperly store authentication tokens and session cookies on a user’s computer. These aren’t your traditional consumer VPN apps used to protect your privacy, but enterprise VPN apps that are typically rolled out by a company’s IT staff to allow remote workers to access resources on a company’s network.

The apps generate tokens from a user’s password and stored on their computer to keep the user logged in without having to reenter their password every time. But if stolen, these tokens can allow access to that user’s account without needing their password.

But with access to a user’s computer — such as through malware — an attacker could steal those tokens and use them to gain access to a company’s network with the same level of access as the user. That includes company apps, systems and data.

So far, only Palo Alto Networks has confirmed its GlobalProtect app was vulnerable. The company issued a patch for both its Windows and Mac clients.

Neither Cisco nor Pulse Secure have patched their apps. F5 Networks is said to have known about storing since at least 2013 but advised users to roll out two-factor authentication instead of releasing a patch.

CERT warned that hundreds of other apps could be affected — but more testing was required.


Enterprise – TechCrunch

Products You May Like

Articles You May Like

The Final Cut Reviews; Deet n Bax Save th’ World – A Stoner Comedy Starring Jason Mewes, Craig Michaelson and Weston Cage.
Deet n Bax Save the World Movie Starring Jason Mewes Premier on 4/20/2015 in Portland
Feature Film “Deet n Bax Save the World” Starring Jason Mewes to be Released on 4/20/2015 ”Deet n Bax Save the World” an Action Stoner Comedy starring Jason Mewes produced by TruEarth Entertainment.
TruEarth Entertainment to Deliver First Feature Film Starring Jason Mewes
Deet n Bax Save the World Movie – Sex, Guns & Weed!
Deet n Bax Save the World wrapped on November 4th!
Deet n Bax Save the World resumes filming this Monday in Portland Oregon!
Deet and Bax Save The World Movie Resumes Filming Soon!
Public sector workers ‘to get £2bn pay rise’ – affecting teachers, police & armed forces
Melania Trump fans convinced new images show FLOTUS has ‘feelings’ for major world leader
Sophie, Countess of Wessex has over £1 million worth of royal tiaras – where are they now?
Hitler assassination attempt: The Führer saw bomb escape as an ‘act of God’
Michelle Obama takes aim at Trump’s inauguration as she proclaims Barack had ‘no scandal
LEAVE YOUR COMMENTS