Cybersecurity researchers have disclosed a set of flaws impacting Palo Alto Networks and SonicWall digital personal community (VPN) purchasers that may very well be probably exploited to achieve distant code execution on Home windows and macOS methods.
“By focusing on the implicit belief VPN purchasers place in servers, attackers can manipulate consumer behaviours, execute arbitrary instructions, and achieve excessive ranges of entry with minimal effort,” AmberWolf mentioned in an evaluation.
In a hypothetical assault state of affairs, this performs out within the type of a rogue VPN server that may trick the purchasers into downloading malicious updates that may trigger unintended penalties.
The results of the investigation is a proof-of-concept (PoC) assault software referred to as NachoVPN that may simulate such VPN servers and exploit the vulnerabilities to realize privileged code execution.
The recognized flaws are listed beneath –
- CVE-2024-5921 (CVSS rating: 5.6) – An inadequate certificates validation vulnerability impacting Palo Alto Networks GlobalProtect for Home windows, macOS, and Linux that enables the app to be linked to arbitrary servers, resulting in the deployment of malicious software program (Addressed in model 6.2.6 for Home windows)
- CVE-2024-29014 (CVSS rating: 7.1) – A vulnerability impacting SonicWall SMA100 NetExtender Home windows consumer that might permit an attacker to execute arbitrary code when processing an Finish Level Management (EPC) Consumer replace. (Impacts variations 10.2.339 and earlier, addressed in model 10.2.341)
Palo Alto Networks has emphasised that the attacker must both have entry as a neighborhood non-administrative working system consumer or be on the identical subnet in order to put in malicious root certificates on the endpoint and set up malicious software program signed by the malicious root certificates on that endpoint.
In doing so, the GlobalProtect app may very well be weaponized to steal a sufferer’s VPN credentials, execute arbitrary code with elevated privileges, and set up malicious root certificates that may very well be used to facilitate different assaults.
Equally, an attacker might trick a consumer to attach their NetExtender consumer to a malicious VPN server after which ship a counterfeit EPC Consumer replace that is signed with a valid-but-stolen certificates to finally execute code with SYSTEM privileges.
“Attackers can exploit a customized URI handler to power the NetExtender consumer to connect with their server,” AmberWolf mentioned. “Customers solely want to go to a malicious web site and settle for a browser immediate, or open a malicious doc for the assault to succeed.”
Whereas there isn’t any proof that these shortcomings have been exploited within the wild, customers of Palo Alto Networks GlobalProtect and SonicWall NetExtender are suggested to use the most recent patches to safeguard towards potential threats.
The event comes as researchers from Bishop Fox detailed its strategy to decrypting and analyzing the firmware embedded in SonicWall firewalls to additional assist in vulnerability analysis and construct fingerprinting capabilities as a way to assess the present state of SonicWall firewall safety based mostly on internet-facing exposures.