Cybersecurity researchers have disclosed a set of flaws impacting Palo Alto Networks and SonicWall digital personal community (VPN) shoppers that might be doubtlessly exploited to realize distant code execution on Home windows and macOS programs.
“By focusing on the implicit belief VPN shoppers place in servers, attackers can manipulate shopper behaviours, execute arbitrary instructions, and acquire excessive ranges of entry with minimal effort,” AmberWolf mentioned in an evaluation.
In a hypothetical assault situation, this performs out within the type of a rogue VPN server that may trick the shoppers into downloading malicious updates that may trigger unintended penalties.
The results of the investigation is a proof-of-concept (PoC) assault device referred to as NachoVPN that may simulate such VPN servers and exploit the vulnerabilities to attain privileged code execution.
The recognized flaws are listed under –
- CVE-2024-5921 (CVSS rating: 5.6) – An inadequate certificates validation vulnerability impacting Palo Alto Networks GlobalProtect for Home windows, macOS, and Linux that enables the app to be related to arbitrary servers, resulting in the deployment of malicious software program (Addressed in model 6.2.6 for Home windows)
- CVE-2024-29014 (CVSS rating: 7.1) – A vulnerability impacting SonicWall SMA100 NetExtender Home windows shopper that might permit an attacker to execute arbitrary code when processing an Finish Level Management (EPC) Shopper replace. (Impacts variations 10.2.339 and earlier, addressed in model 10.2.341)
Palo Alto Networks has emphasised that the attacker must both have entry as an area non-administrative working system consumer or be on the identical subnet in order to put in malicious root certificates on the endpoint and set up malicious software program signed by the malicious root certificates on that endpoint.
In doing so, the GlobalProtect app might be weaponized to steal a sufferer’s VPN credentials, execute arbitrary code with elevated privileges, and set up malicious root certificates that might be used to facilitate different assaults.
Equally, an attacker may trick a consumer to attach their NetExtender shopper to a malicious VPN server after which ship a counterfeit EPC Shopper replace that is signed with a valid-but-stolen certificates to in the end execute code with SYSTEM privileges.
“Attackers can exploit a customized URI handler to pressure the NetExtender shopper to connect with their server,” AmberWolf mentioned. “Customers solely want to go to a malicious web site and settle for a browser immediate, or open a malicious doc for the assault to succeed.”
Whereas there is no such thing as a proof that these shortcomings have been exploited within the wild, customers of Palo Alto Networks GlobalProtect and SonicWall NetExtender are suggested to use the most recent patches to safeguard towards potential threats.
The event comes as researchers from Bishop Fox detailed its strategy to decrypting and analyzing the firmware embedded in SonicWall firewalls to additional help in vulnerability analysis and construct fingerprinting capabilities with a view to assess the present state of SonicWall firewall safety based mostly on internet-facing exposures.
