VPN apps from Cisco, F5, Palo Alto Networks, and Pulse Secure found vulnerable.
At least four Virtual Private Network (VPN) applications sold or made available to enterprise customers share security flaws, warns the Carnegie Mellon University CERT Coordination Center (CERT/CC).
VPN apps from Cisco, F5 Networks, Palo Alto Networks, and Pulse Secure are impacted, CERT/CC analyst Madison Oliver said in a
security alert published earlier today.
All four have been confirmed to store authentication and/or session cookies in an non-encrypted form inside a computer's memory or log files saved on disk.
An attacker with access to the computer, or malware running on the computer, can retrieve this information and then use it on another system to resume the victim's VPN sessions without needing to authenticate. This allows an attacker direct and unimpeded access to a company's internal network, intranet portals, or other sensitive applications.