VPN apps are supposed to help remote workers securely log onto their company’s servers, but critical vulnerabilities in apps made by at least four companies could be leaving the digital door wide open for hackers to steal corporate secrets.
The nonprofit CERT Coordination Center—which acts as the Internet’s emergency response team—and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an alert for enterprise VPN apps made by Cisco, Palo Alto Networks, Pulse Secure, and F5 Networks on Friday. The bulletin also warned that more testing will be required to determine if hundreds of other VPN apps are at risk.
These aren’t your run-of-the-mill VPN apps used by citizens to mask their private Internet surfing traffic. The services in question are enterprise solutions that are frequently deployed by corporate IT departments for people who need to work remotely, but also want access to their company’s private data, such as email and internal tools.
The apps appear to be incorrectly storing cookies on a person’s computer, according to the CERT bulletin. While the cookies are designed to help people bypass having to enter their password at every new login screen, they could be dangerous if the wrong person gains access.
A potential worst case scenario could be if a skilled hacker gained access to a person’s private computer through malware—they could then use the improperly stored cookies to log in to the enterprise VPNs, bypassing usual checkpoints where they might otherwise have to enter a password.
Palo Alto Networks has issued a patch for its GlobalProtect app, for both its Windows and Mac users, however the other companies named in the bulletin have not yet issued public responses. Hundreds of other apps could also be affected—but more testing will be required. A “generic configuration” may be the reason why the problem is being spread across companies, according to the bulletin.
Just two enterprise VPN vendors—Check Point Software Technologies and pfSense—were given an all clear in the CERT bulletin.
While it’s important to regularly check for security updates and patches, using two-factor authentication (2FA) as an extra layer of security can help companies ensure there’s no unauthorized access to their accounts, says Kathy Wang, director of security at Gitlab, an open source software development site. “A VPN is one means to an end, but not the only means,” she says.
Setting up 2FA can be as simple as adding an email address or phone number to an account. When you try to log in, the site would then send a unique, one-time code for users to enter, proving their identity.