Vulnerability Overview
On April 14th, Carnegie Mellon University’s CERT Coordination Center released vulnerability advisory VU#192371, which disclosed security vulnerabilities in several mobile VPN clients from multiple vendors.
In general, the disclosed vulnerabilities involved insecure storage of authentication and session information. Researchers found that some VPN clients stored session cookies unencrypted in log files and in memory. An attacker with access to a system with an active VPN session could potentially scrape valid session information out of memory or log files and replay the session to open a valid VPN connection.
Is WatchGuard Affected?
WatchGuard maintains two distinct Mobile VPN clients, a Mobile VPN with SSL client and a Mobile VPN with IPSec client, neither of which are vulnerable to the issues described in the CERT disclosure.
Mobile VPN with SSL
The WatchGuard Mobile VPN with SSL client is a combination of the open source OpenVPN client and an authentication wrapper to securely download OpenVPN configuration profiles from the Firebox. Neither the OpenVPN client nor the WatchGuard authentication wrapper are affected by this vulnerability.
Mobile VPN with IPSec
WatchGuard partners with NCP for our Mobile VPN with IPSec client. This client does maintain session information securely in memory by design, to re-establish sessions due to network interruption. IPSec sessions are bound by IP address however, providing protection against authentication replay attacks.
Update: NCP has release a statement (pdf) confirming they are not affected by this vulnerability.
Bruce Briggs says
How come you did not mention the ShrewSoft IPSec VPN client, which is recommended my WG?
Marc Laliberte says
Hey Bruce,
It looks like we have a KB that needs updating. While we still maintain interoperability with the Shrew client, it isn’t something I’d recommend using as it hasn’t received an update in well over 5 years and only supports up to Windows 8, which is now moving through End-of-Support from Microsoft.
-Marc