Cybersecurity researchers have disclosed a set of flaws impacting Palo Alto Networks and SonicWall digital personal community (VPN) shoppers that may very well be probably exploited to realize distant code execution on Home windows and macOS programs.
“By concentrating on the implicit belief VPN shoppers place in servers, attackers can manipulate shopper behaviours, execute arbitrary instructions, and acquire excessive ranges of entry with minimal effort,” AmberWolf mentioned in an evaluation.
In a hypothetical assault situation, this performs out within the type of a rogue VPN server that may trick the shoppers into downloading malicious updates that may trigger unintended penalties.
The results of the investigation is a proof-of-concept (PoC) assault instrument known as NachoVPN that may simulate such VPN servers and exploit the vulnerabilities to realize privileged code execution.
The recognized flaws are listed under –
- CVE-2024-5921 (CVSS rating: 5.6) – An inadequate certificates validation vulnerability impacting Palo Alto Networks GlobalProtect for Home windows, macOS, and Linux that permits the app to be linked to arbitrary servers, resulting in the deployment of malicious software program (Addressed in model 6.2.6 for Home windows)
- CVE-2024-29014 (CVSS rating: 7.1) – A vulnerability impacting SonicWall SMA100 NetExtender Home windows shopper that would permit an attacker to execute arbitrary code when processing an Finish Level Management (EPC) Consumer replace. (Impacts variations 10.2.339 and earlier, addressed in model 10.2.341)
Palo Alto Networks has emphasised that the attacker must both have entry as a neighborhood non-administrative working system person or be on the identical subnet in order to put in malicious root certificates on the endpoint and set up malicious software program signed by the malicious root certificates on that endpoint.
In doing so, the GlobalProtect app may very well be weaponized to steal a sufferer’s VPN credentials, execute arbitrary code with elevated privileges, and set up malicious root certificates that may very well be used to facilitate different assaults.
Equally, an attacker may trick a person to attach their NetExtender shopper to a malicious VPN server after which ship a counterfeit EPC Consumer replace that is signed with a valid-but-stolen certificates to finally execute code with SYSTEM privileges.
“Attackers can exploit a customized URI handler to pressure the NetExtender shopper to hook up with their server,” AmberWolf mentioned. “Customers solely want to go to a malicious web site and settle for a browser immediate, or open a malicious doc for the assault to succeed.”
Whereas there isn’t a proof that these shortcomings have been exploited within the wild, customers of Palo Alto Networks GlobalProtect and SonicWall NetExtender are suggested to use the newest patches to safeguard in opposition to potential threats.
The event comes as researchers from Bishop Fox detailed its strategy to decrypting and analyzing the firmware embedded in SonicWall firewalls to additional help in vulnerability analysis and construct fingerprinting capabilities as a way to assess the present state of SonicWall firewall safety based mostly on internet-facing exposures.