A set of vulnerabilities dubbed “NachoVPN” permits rogue VPN servers to put in malicious updates when unpatched Palo Alto and SonicWall SSL-VPN shoppers connect with them.
AmberWolf safety researchers discovered that risk actors can trick potential targets into connecting their SonicWall NetExtender and Palo Alto Networks GlobalProtect VPN shoppers to attacker-controlled VPN servers utilizing malicious web sites or paperwork in social engineering or phishing assaults.
Menace actors can use the rogue VPN endpoints to steal the victims’ login credentials, execute arbitrary code with elevated privileges, set up malicious software program through updates, and launch code-signing forgery or man-in-the-middle assaults by putting in malicious root certificates.
SonicWall launched patches to deal with the CVE-2024-29014 NetExtender vulnerability in July, two months after the preliminary Might report, and Palo Alto Networks launched safety updates right this moment for the CVE-2024-5921 GlobalProtect flaw, seven months after they had been knowledgeable of the flaw in April and virtually one month after AmberWolf revealed vulnerability particulars at SANS HackFest Hollywood.
Whereas SonicWall says clients have to put in NetExtender Home windows 10.2.341 or increased variations to patch the safety flaw, Palo Alto Networks says that working the VPN consumer in FIPS-CC mode may mitigate potential assaults apart from putting in GlobalProtect 6.2.6 or later (which fixes the vulnerability).
On Tuesday, AmberWolf disclosed extra particulars relating to the 2 vulnerabilities and launched an open-source instrument dubbed NachoVPN, which simulates rogue VPN servers that may exploit these vulnerabilities.
“The tool is platform-agnostic, capable of identifying different VPN clients and adapting its response based on the specific client connecting to it. It is also extensible, encouraging community contributions and the addition of new vulnerabilities as they are discovered,” AmberWolf defined.
“It currently supports various popular corporate VPN products, such as Cisco AnyConnect, SonicWall NetExtender, Palo Alto GlobalProtect, and Ivanti Connect Secure,” the corporate added on the instrument’s GitHub web page.
AmberWolf additionally launched advisories with extra technical info relating to the SonicWall NetExtender and Palo Alto Networks GlobalProtect vulnerabilities, in addition to assault vector particulars and suggestions to assist defenders defend their networks towards potential assaults.
