Cybersecurity researchers have discovered a number of flaws affecting Palo Alto Networks and SonicWall virtual private network (VPN) clients that could potentially be used for remote code execution on Windows and macOS systems.
“By targeting VPN clients’ implicit trust in servers, attackers can manipulate client behavior, execute arbitrary commands, and gain high levels of access with minimal effort.” — AmberWolf. said in the analysis.
In a hypothetical attack scenario, this comes in the form of a fake VPN server that can trick customers into downloading malicious updates, which can cause unintended consequences.
The result of the investigation is a proof-of-concept (PoC) attack tool called NachoVPN which can impersonate such VPN servers and exploit vulnerabilities to achieve privileged code execution.
The identified flaws are listed below –
- CVE-2024-5921 (CVSS Score: 5.6) – Insufficient certificate validation vulnerability affecting Palo Alto Networks GlobalProtect for Windows, macOS, and Linux, which allows the program to connect to arbitrary servers, leading to the deployment of malware (resolved in version 6.2.6 for Windows)
- CVE-2024-29014 (CVSS Score: 7.1) – A vulnerability affecting the SonicWall SMA100 NetExtender Windows client that could allow an attacker to execute arbitrary code when processing an End Point Control (EPC) client update. (Affects 10.2.339 and earlier, addressed in 10.2.341)
Palo Alto Networks emphasized that an attacker must either have access as a local non-administrative operating system user or be on the same subnet to install malicious root certificates on an endpoint and install malware signed by those root certificates on it. end point.
By doing so, the GlobalProtect app can be a weapon to steal a victim’s VPN credentials, execute arbitrary code with elevated privileges, and install malicious root certificates that can be used to facilitate other attacks.
Similarly, an attacker could trick a user into connecting their NetExtender client to a malicious VPN server and then deliver a fake EPC client update that is signed with a valid but stolen certificate to eventually execute code with SYSTEM privileges.
“Attackers can use a custom URI handler to force a NetExtender client to connect to their server,” said AmberWolf. “Users only need to visit a malicious website and accept a browser prompt or open a malicious document for the attack to be successful.”
Although there is no evidence that these flaws have been exploited in the wild, users of Palo Alto Networks GlobalProtect and SonicWall NetExtender are encouraged to apply the latest patches to protect against potential threats.
Development is underway as researchers from Bishop Fox in detail his approach to decrypting and analyzing the firmware embedded in SonicWall firewalls to further assist in vulnerability research and create fingerprinting capabilities to assess the current security posture of SonicWall firewalls based on Internet images.
