A set of vulnerabilities dubbed “NachoVPN” permits rogue VPN servers to put in malicious updates when unpatched Palo Alto and SonicWall SSL-VPN purchasers hook up with them.
AmberWolf safety researchers discovered that menace actors can trick potential targets into connecting their SonicWall NetExtender and Palo Alto Networks GlobalProtect VPN purchasers to attacker-controlled VPN servers utilizing malicious web sites or paperwork in social engineering or phishing assaults.
Risk actors can use the rogue VPN endpoints to steal the victims’ login credentials, execute arbitrary code with elevated privileges, set up malicious software program by way of updates, and launch code-signing forgery or man-in-the-middle assaults by putting in malicious root certificates.
SonicWall launched patches to deal with the CVE-2024-29014 NetExtender vulnerability in July, two months after the preliminary Might report, and Palo Alto Networks launched safety updates as we speak for the CVE-2024-5921 GlobalProtect flaw, seven months after they have been knowledgeable of the flaw in April and virtually one month after AmberWolf printed vulnerability particulars at SANS HackFest Hollywood.
Whereas SonicWall says prospects have to put in NetExtender Home windows 10.2.341 or greater variations to patch the safety flaw, Palo Alto Networks says that working the VPN shopper in FIPS-CC mode may also mitigate potential assaults apart from putting in GlobalProtect 6.2.6 or later (which fixes the vulnerability).
On Tuesday, AmberWolf disclosed extra particulars relating to the 2 vulnerabilities and launched an open-source device dubbed NachoVPN, which simulates rogue VPN servers that may exploit these vulnerabilities.
“The device is platform-agnostic, able to figuring out completely different VPN purchasers and adapting its response primarily based on the precise shopper connecting to it. It’s also extensible, encouraging group contributions and the addition of latest vulnerabilities as they’re found,” AmberWolf defined.
“It at present helps numerous fashionable company VPN merchandise, akin to Cisco AnyConnect, SonicWall NetExtender, Palo Alto GlobalProtect, and Ivanti Join Safe,” the corporate added on the device’s GitHub web page.
AmberWolf additionally launched advisories with extra technical data relating to the SonicWall NetExtender and Palo Alto Networks GlobalProtect vulnerabilities, in addition to assault vector particulars and suggestions to assist defenders shield their networks towards potential assaults.
