A set of vulnerabilities dubbed “NachoVPN” permits rogue VPN servers to put in malicious updates when unpatched Palo Alto and SonicWall SSL-VPN shoppers hook up with them.
AmberWolf safety researchers discovered that menace actors can trick potential targets into connecting their SonicWall NetExtender and Palo Alto Networks GlobalProtect VPN shoppers to attacker-controlled VPN servers utilizing malicious web sites or paperwork in social engineering or phishing assaults.
Risk actors can use the rogue VPN endpoints to steal the victims’ login credentials, execute arbitrary code with elevated privileges, set up malicious software program by way of updates, and launch code-signing forgery or man-in-the-middle assaults by putting in malicious root certificates.
SonicWall launched patches to deal with the CVE-2024-29014 NetExtender vulnerability in July, two months after the preliminary Could report, and Palo Alto Networks launched safety updates at the moment for the CVE-2024-5921 GlobalProtect flaw, seven months after they have been knowledgeable of the flaw in April and nearly one month after AmberWolf printed vulnerability particulars at SANS HackFest Hollywood.
Whereas SonicWall says prospects have to put in NetExtender Home windows 10.2.341 or increased variations to patch the safety flaw, Palo Alto Networks says that working the VPN consumer in FIPS-CC mode can even mitigate potential assaults apart from putting in GlobalProtect 6.2.6 or later (which fixes the vulnerability).
On Tuesday, AmberWolf disclosed extra particulars relating to the 2 vulnerabilities and launched an open-source instrument dubbed NachoVPN, which simulates rogue VPN servers that may exploit these vulnerabilities.
“The instrument is platform-agnostic, able to figuring out completely different VPN shoppers and adapting its response primarily based on the precise consumer connecting to it. It is usually extensible, encouraging group contributions and the addition of latest vulnerabilities as they’re found,” AmberWolf defined.
“It at present helps numerous fashionable company VPN merchandise, corresponding to Cisco AnyConnect, SonicWall NetExtender, Palo Alto GlobalProtect, and Ivanti Join Safe,” the corporate added on the instrument’s GitHub web page.
AmberWolf additionally launched advisories with extra technical info relating to the SonicWall NetExtender and Palo Alto Networks GlobalProtect vulnerabilities, in addition to assault vector particulars and suggestions to assist defenders defend their networks towards potential assaults.