Researchers reveal exploitable flaws in corporate VPN clients

Researchers have discovered vulnerabilities in the update process of Palo Alto Networks (CVE-2024-5921) and SonicWall (CVE-2024-29014) corporate VPN clients that could be exploited to remotely execute code on users’ devices.

CVE-2024-5921

CVE-2024-5921 affects various versions of Palo Alto’s GlobalProtect App on Windows, macOS and Linux, and stems from insufficient certification validation.

It enables attackers to connect the GlobalProtect app to arbitrary servers, the company confirmed, and noted that this may result in attackers installing malicious root certificates on the endpoint and subsequently installing malicious software signed by these certificates.

“Both the Windows and macOS versions of the GlobalProtect VPN client are vulnerable to remote code execution (RCE) and privilege escalation via the automatic update mechanism. While the update process requires MSI files to be signed, attackers can exploit the PanGPS service to install a maliciously trusted root certificate, enabling RCE and privilege escalation. The updates are executed with the privilege level of the service component (SYSTEM on Windows and root on macOS),” AmberWolf researchers Richard Warren and David Cash explained.

“By default, users can specify arbitrary endpoints in the VPN client’s UI component (PanGPA). This behaviour can be exploited in social engineering attacks, where attackers trick users into connecting to rogue VPN servers. These servers can capture login credentials and compromise systems through malicious client updates.”

“This issue is fixed in GlobalProtect app 6.2.6 and all later GlobalProtect app 6.2 versions on Windows,” Palo Alto says. The company has also introduced an additional configuration parameter (FULLCHAINCERTVERIFY) that should be enabled to enforce stricter certificate validation against the system’s trusted certificate store.

There are currently no fixes for macOS or Linux versions of the app, according to PAN’s security advisory.

There is a workaround/mitigation available, though, and it consists of enabling FIPS-CC modefor the GlobalProtect app on the endpoints (and enabling FIPS-CC mode on the GlobalProtect portal/gateway).

AmberWolf researchers say that host-based firewall rules can also be implemented to prevent users connecting to malicious VPN servers.

CVE-2024-29014

CVE-2024-29014 affects SonicWall’s NetExtender VPN client for Windows versions 10.2.339 and earlier, and allows attackers to execute code with SYSTEM privileges when an End Point Control (EPC) Client update is processed. The vulnerability stems from insufficient signature validation.

There are several exploitation scenarios that could lead to this. For example, a user can be tricked into connecting their NetExtender client to a malicious VPN server and install a fake (malicious) EPC Client update.

“When the SMA Connect Agent is installed, attackers can exploit a custom URI handler to force the NetExtender client to connect to their server. Users only need to visit a malicious website and accept a browser prompt, or open a malicious document for the attack to succeed,” AmberWolf researchers explained another approach.

SonicWall has patched the vulnerability earlier this year in NetExtender Windows (32 and 64 bit) 10.2.341 and later versions, and urged users to upgrade.

“If an immediate upgrade is not feasible, consider using a client firewall to restrict access to known, legitimate VPN endpoints to prevent users from inadvertently connecting to malicious servers,” AmberWolf advised.

A tool to help understand the risk

“VPN clients are indispensable for secure remote access, but their elevated system privileges present an enormous attack surface,” the researchers noted.

“We identified flaws in their trust relationship with VPN servers, showing how attackers could exploit these tools to gain privileged access with minimal interaction.”

They also released NachoVPN, an open-source tool that simulates rogue VPN servers capable of exploiting these and other vulnerabilities.