Cybersecurity researchers have disclosed a set of flaws impacting Palo Alto Networks and SonicWall digital non-public community (VPN) purchasers that might be probably exploited to realize distant code execution on Home windows and macOS techniques.
“By focusing on the implicit belief VPN purchasers place in servers, attackers can manipulate consumer behaviours, execute arbitrary instructions, and acquire excessive ranges of entry with minimal effort,” AmberWolf mentioned in an evaluation.
In a hypothetical assault situation, this performs out within the type of a rogue VPN server that may trick the purchasers into downloading malicious updates that may trigger unintended penalties.
The results of the investigation is a proof-of-concept (PoC) assault software known as NachoVPN that may simulate such VPN servers and exploit the vulnerabilities to realize privileged code execution.
The recognized flaws are listed under –
- CVE-2024-5921 (CVSS rating: 5.6) – An inadequate certificates validation vulnerability impacting Palo Alto Networks GlobalProtect for Home windows, macOS, and Linux that enables the app to be related to arbitrary servers, resulting in the deployment of malicious software program (Addressed in model 6.2.6 for Home windows)
- CVE-2024-29014 (CVSS rating: 7.1) – A vulnerability impacting SonicWall SMA100 NetExtender Home windows consumer that would permit an attacker to execute arbitrary code when processing an Finish Level Management (EPC) Consumer replace. (Impacts variations 10.2.339 and earlier, addressed in model 10.2.341)
Palo Alto Networks has emphasised that the attacker must both have entry as an area non-administrative working system consumer or be on the identical subnet in order to put in malicious root certificates on the endpoint and set up malicious software program signed by the malicious root certificates on that endpoint.
In doing so, the GlobalProtect app might be weaponized to steal a sufferer’s VPN credentials, execute arbitrary code with elevated privileges, and set up malicious root certificates that might be used to facilitate different assaults.
Equally, an attacker might trick a consumer to attach their NetExtender consumer to a malicious VPN server after which ship a counterfeit EPC Consumer replace that is signed with a valid-but-stolen certificates to in the end execute code with SYSTEM privileges.
“Attackers can exploit a customized URI handler to drive the NetExtender consumer to connect with their server,” AmberWolf mentioned. “Customers solely want to go to a malicious web site and settle for a browser immediate, or open a malicious doc for the assault to succeed.”
Whereas there isn’t any proof that these shortcomings have been exploited within the wild, customers of Palo Alto Networks GlobalProtect and SonicWall NetExtender are suggested to use the newest patches to safeguard towards potential threats.
The event comes as researchers from Bishop Fox detailed its strategy to decrypting and analyzing the firmware embedded in SonicWall firewalls to additional support in vulnerability analysis and construct fingerprinting capabilities as a way to assess the present state of SonicWall firewall safety primarily based on internet-facing exposures.
