DHS alerts industry to insecure enterprise VPN apps

The bug affects at least 4 enterprise VPN vendors.
DHS alert

The Department of Homeland Security on Friday alerted the public to a vulnerability in multiple virtual private network applications that could give a hacker access to other apps running on a VPN connection.

The flaw involves the insecure storage of cookies in memory or in log files, and affects enterprise VPN apps made by Cisco, F5 Networks, Palo Alto Networks, and Pulse Secure. Other vendors could be affected because the configuration issue is likely “generic” to other VPN apps, according to an advisory cited by DHS from Carnegie Mellon University’s CERT Coordination Center.

“If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods,” CERT CC said. “An attacker would then have access to the same applications that the user does through their VPN session.”

While Palo Alto Networks had patched its VPN product, Cisco had not, according to CERT CC. The added attention brought by the advisory could change that.


F5 Networks has fixed the insecure log storage issue in a newer version of its VPN app, and has advised users to employ two-factor authentication or a one-time password to address the memory storage flaw.

Pulse Secure said it issued an advisory on the vulnerability on April 11 and that the latest versions of its Pulse Desktop Client and Network Connect product fixed the issue.

VPN services are an important privacy tool that obfuscate a user’s location. However, if compromised, they can be a valuable foothold for attackers looking for access to organizations that use VPNs. Last month, Citrix, a VPN service widely used in the corporate world, announced that “international cyber criminals” had breached its internal network.

U.S. lawmakers are also worrying about the threat posed by foreign-made VPN apps to federal employees. Sens. Marco Rubio, R-Fla., and Ron Wyden, D-Ore., in February asked DHS for a threat assessment on the subject.

UPDATE, April 15, 4:50 p.m. EDT: This story has been updated with a statement from Pulse Secure showing that the vulnerability had been addressed in its product updates.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts