The Department of Homeland Security: security flaws in the VPN apps corporate

Warned security agency’s cyber security infrastructure in the Department of Homeland Security DHS and the Coordination Centre CERT to contain the many applications of virtual private networks VPN to enterprises on the security faults may allow an attacker to compromise the internal network of the company remotely.

It is supposed to help apps VPN remote workers in to securely sign in to the servers of their companies, but critical vulnerabilities in applications that are produced by four companies at least might leave the door digital wide open for hackers to steal corporate secrets.

Affect the problem on a software VPN product by company Cisco Cisco, Palo Alto Networks and Palo Alto Networks, and the Pulse Secure and F5 Networks, according to the advice of security from the CERT Coordination Center.

And applications designed by these companies authentication tokens and cookies meeting on a user’s computer incorrectly.

Recall that these applications are not VPN apps consumer-oriented traditional and used to protect privacy, but VPN apps for enterprises that are published usually by the information technology staff in the company to allow employees remote access to resources on the corporate network.

Related topics what you read now:

Breed these applications codes a characteristic of the user passwords, and store them in cookies on the computers of your users to keep on logging in without having to re-enter the password every time.

And these files to the attacker, in case of theft, to access the user account without needing a password, you should encrypt these cookies, but the VPN apps of the affected data is stored unencrypted inside the device case.

Can the attacker steal those icons through access to a user’s computer and used to access the corporate network with the same level of user access, including access to applications and systems corporate data, like email, tools and interior.

Andconfirmed company Palo Alto Networks, to its application Palo Alto Networks GlobalProtect Agent was at risk, but they released a patch for both Windows and Mac, also released a Pulse Secure correction of the error to apply Pule Secure Desktop.

Opposed the Cisco security warning, she said: “I have the the Cisco Cisco this problem and concluded that the application of the Cisco AnyConnect is not susceptible to behavior that is described in the warning CERT Coordination Center”.

Include information to the owning company F5 Networks, the information about the storage problem since at least 2013, but they advised users to use authentication rather than the debug version.

Warned the CERT Coordination Center to hundreds of other applications may be affected, but it requires more tests.

Leave a Reply

Your email address will not be published. Required fields are marked *