Researchers at offensive cyber solutions provider AmberWolf have disclosed the details of a new attack method that can be leveraged against widely used corporate VPN clients.
VPNs are often used by organizations for secure remote access, but the AmberWolf researchers showed that the attack surface they introduce should not be ignored.
They also published an open source tool named NachoVPN, which demonstrates the attack against Palo Alto Networks and SonicWall VPNs through recently patched vulnerabilities, as well as against Cisco AnyConnect and Ivanti Connect Secure through older flaws. The tool’s plugin-based architecture enables users to add support for other products as well.
The attack, which works on both Windows and macOS, leverages the trust relationship between the VPN client and the server. NachoVPN is designed to simulate a rogue VPN server that can exploit vulnerabilities in the VPN clients connecting to it.
In the case of the Palo Alto Networks product, specifically the GlobalProtect VPN client, the researchers showed how an attacker could target the automatic update mechanism to install a malicious root certificate and achieve remote code execution and privilege escalation.
An attacker needs to trick the targeted user into connecting to their rogue VPN server, which AmberWolf says can be achieved through social engineering.
Palo Alto Networks, which tracks the vulnerability as CVE-2024-5921, describes it as a medium-severity insufficient certificate validation issue in the GlobalProtect app for Windows, macOS and Linux.
The company published an advisory and announced patches for the security hole on November 26, the same day the researchers published blog posts detailing their findings.
Advertisement. Scroll to continue reading.
Palo Alto Networks pointed out that the attacker needs to have local non-admin access to the operating system or be on the same subnet as the victim in order to exploit the flaw.
This issue has been fixed with the release of GlobalProtect 6.2.6 on Windows. Mitigations are also available. The company noted that it’s not aware of malicious exploitation, but pointed out that a PoC (ie, the NachoVPN tool) is publicly available.
In the case of the SonicWall product, AmberWolf researchers discovered that the attack works against the SMA100 NetExtender VPN client for Windows.
SonicWall is tracking the vulnerability as CVE-2024-29014 and has assigned it a ‘high severity’ rating. The vendor released patches in mid-July and pointed out that firewalls running SonicOS are not affected, and neither is the NetExtender Linux client.
According to AmberWolf, the SonicWall vulnerability allows remote code execution with System privileges, and exploitation only requires the targeted user to visit a malicious website and accept a browser prompt.
Related: Fortinet VPN Zero-Day Exploited in Malware Attacks Remains Unpatched
Related: Port Shadow Attack Allows VPN Traffic Interception, Redirection
Related: Exploitation of Recent Check Point VPN Zero-Day Soars