CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

New VPN Attack Demonstrated Against Palo Alto Networks, SonicWall Products

Palo Alto Networks and SonicWall VPNs affected by vulnerabilities allowing remote code execution and privilege escalation.

VPN attack

Researchers at offensive cyber solutions provider AmberWolf have disclosed the details of a new attack method that can be leveraged against widely used corporate VPN clients.

VPNs are often used by organizations for secure remote access, but the AmberWolf researchers showed that the attack surface they introduce should not be ignored. 

They also published an open source tool named NachoVPN, which demonstrates the attack against Palo Alto Networks and SonicWall VPNs through recently patched vulnerabilities, as well as against Cisco AnyConnect and Ivanti Connect Secure through older flaws. The tool’s plugin-based architecture enables users to add support for other products as well.

The attack, which works on both Windows and macOS, leverages the trust relationship between the VPN client and the server. NachoVPN is designed to simulate a rogue VPN server that can exploit vulnerabilities in the VPN clients connecting to it. 

In the case of the Palo Alto Networks product, specifically the GlobalProtect VPN client, the researchers showed how an attacker could target the automatic update mechanism to install a malicious root certificate and achieve remote code execution and privilege escalation. 

An attacker needs to trick the targeted user into connecting to their rogue VPN server, which AmberWolf says can be achieved through social engineering.  

Palo Alto Networks, which tracks the vulnerability as CVE-2024-5921, describes it as a medium-severity insufficient certificate validation issue in the GlobalProtect app for Windows, macOS and Linux. 

The company published an advisory and announced patches for the security hole on November 26, the same day the researchers published blog posts detailing their findings

Advertisement. Scroll to continue reading.

Palo Alto Networks pointed out that the attacker needs to have local non-admin access to the operating system or be on the same subnet as the victim in order to exploit the flaw. 

This issue has been fixed with the release of GlobalProtect 6.2.6 on Windows. Mitigations are also available. The company noted that it’s not aware of malicious exploitation, but pointed out that a PoC (ie, the NachoVPN tool) is publicly available. 

In the case of the SonicWall product, AmberWolf researchers discovered that the attack works against the SMA100 NetExtender VPN client for Windows. 

SonicWall is tracking the vulnerability as CVE-2024-29014 and has assigned it a ‘high severity’ rating. The vendor released patches in mid-July and pointed out that firewalls running SonicOS are not affected, and neither is the NetExtender Linux client.

According to AmberWolf, the SonicWall vulnerability allows remote code execution with System privileges, and exploitation only requires the targeted user to visit a malicious website and accept a browser prompt. 

Related: Fortinet VPN Zero-Day Exploited in Malware Attacks Remains Unpatched

Related: Port Shadow Attack Allows VPN Traffic Interception, Redirection

Related: Exploitation of Recent Check Point VPN Zero-Day Soars

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.