- AmberWolf researchers find two flaws in popular VPN products
- Flaws Can Be Abused to Cause VPNs to Connect to Malicious Servers
- Servers can use the connection to steal login credentials, remove malware, and more.
Security researchers warn that hackers have been using compromised VPN servers to steal sensitive information from connected VPN clients.
Earlier this year, cybersecurity experts at AmberWolf discovered that criminals were tricking people into connecting their SonicWall NetExtender and Palo Alto Networks GlobalProtect VPN clients to VPN servers under their control.
Criminals used malicious websites or social engineering and phishing documents to get people online.
Solving the problem
Since vulnerable VPN clients fail to properly authenticate and verify the legitimacy of the VPN server, attackers can impersonate trusted servers and are allowed various malicious actions, including stealing victims' login credentials, executing code arbitrary with elevated privileges and install malware via software updates and more.
AmberWolf named the vulnerabilities “NachoVPN” and reported them to the respective organizations.
On SonicWall's side, the bug was tracked as CVE-2024-29014 and was fixed in July 2024, while on Palo Alto Networks' side, it was tracked as CVE-2024-5921 and fixed in November 2024.
The first clean version of NetExtender Windows is 10.2.341. For Palo Alto, users must install GlobalProtect 6.2.6 or run their VPN client in FIPS-CC mode.
In addition to reporting the bugs to SonicWall and Palo Alto Networks, AmberWolf also shared an open source tool, also called NachoVPN, that simulates the attack. beepcomputer has found.
“The tool is platform-independent, capable of identifying different VPN clients and adapting its response based on the specific client connecting to it. It is also extensible, encouraging community contributions and the addition of new vulnerabilities as they become available.” they discover,” AmberWolf said.
“It currently supports several popular corporate VPN products, including Cisco AnyConnect, SonicWall NetExtender, Palo Alto GlobalProtect, and Ivanti Connect Secure,” the company concluded in its announcement.
Through beepcomputer
