Link to article: https://www.kb.cert.org/vuls/id/192371/
Exert from Article:
Description
Virtual Private Networks (VPNs) are used to create a secure connection with another network over the internet. Multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files.
CWE-311: Missing Encryption of Sensitive Data
The following products and versions store the cookie insecurely in log files:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
The following products and versions store the cookie insecurely in memory:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
- Cisco AnyConnect 4.7.x and prior
It is likely that this configuration is generic to additional VPN applications. If you believe that your organization is vulnerable, please contact CERT/CC at cert@cert.org with the affected products, version numbers, patch information, and self-assigned CVE.
No comments:
Post a Comment