A set of vulnerabilities dubbed “NachoVPN” permits rogue VPN servers to put in malicious updates when unpatched Palo Alto and SonicWall SSL-VPN shoppers hook up with them.
AmberWolf safety researchers discovered that risk actors can trick potential targets into connecting their SonicWall NetExtender and Palo Alto Networks GlobalProtect VPN shoppers to attacker-controlled VPN servers utilizing malicious web sites or paperwork in social engineering or phishing assaults.
Menace actors can use the rogue VPN endpoints to steal the victims’ login credentials, execute arbitrary code with elevated privileges, set up malicious software program by way of updates, and launch code-signing forgery or man-in-the-middle assaults by putting in malicious root certificates.
SonicWall launched patches to deal with the CVE-2024-29014 NetExtender vulnerability in July, two months after the preliminary Could report, and Palo Alto Networks launched safety updates at this time for the CVE-2024-5921 GlobalProtect flaw, seven months after they have been knowledgeable of the flaw in April and virtually one month after AmberWolf revealed vulnerability particulars at SANS HackFest Hollywood.
Whereas SonicWall says prospects have to put in NetExtender Home windows 10.2.341 or increased variations to patch the safety flaw, Palo Alto Networks says that working the VPN shopper in FIPS-CC mode may also mitigate potential assaults moreover putting in GlobalProtect 6.2.6 or later (which fixes the vulnerability).
On Tuesday, AmberWolf disclosed extra particulars relating to the 2 vulnerabilities and launched an open-source software dubbed NachoVPN, which simulates rogue VPN servers that may exploit these vulnerabilities.
“The software is platform-agnostic, able to figuring out completely different VPN shoppers and adapting its response based mostly on the precise shopper connecting to it. It’s also extensible, encouraging neighborhood contributions and the addition of latest vulnerabilities as they’re found,” AmberWolf defined.
“It at present helps varied well-liked company VPN merchandise, resembling Cisco AnyConnect, SonicWall NetExtender, Palo Alto GlobalProtect, and Ivanti Join Safe,” the corporate added on the software’s GitHub web page.
AmberWolf additionally launched advisories with extra technical data relating to the SonicWall NetExtender and Palo Alto Networks GlobalProtect vulnerabilities, in addition to assault vector particulars and proposals to assist defenders shield their networks towards potential assaults.