• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

CERT VPN Application Vulnerabilities: Is WatchGuard Affected?

April 24, 2019 By Marc Laliberte

Computer security breach

Vulnerability Overview

On April 14th, Carnegie Mellon University’s CERT Coordination Center released vulnerability advisory VU#192371, which disclosed security vulnerabilities in several mobile VPN clients from multiple vendors.

In general, the disclosed vulnerabilities involved insecure storage of authentication and session information. Researchers found that some VPN clients stored session cookies unencrypted in log files and in memory. An attacker with access to a system with an active VPN session could potentially scrape valid session information out of memory or log files and replay the session to open a valid VPN connection.

Is WatchGuard Affected?

WatchGuard maintains two distinct Mobile VPN clients, a Mobile VPN with SSL client and a Mobile VPN with IPSec client, neither of which are vulnerable to the issues described in the CERT disclosure.

Mobile VPN with SSL

The WatchGuard Mobile VPN with SSL client is a combination of the open source OpenVPN client and an authentication wrapper to securely download OpenVPN configuration profiles from the Firebox. Neither the OpenVPN client nor the WatchGuard authentication wrapper are affected by this vulnerability.

Mobile VPN with IPSec

WatchGuard partners with NCP for our Mobile VPN with IPSec client. This client does maintain session information securely in memory by design, to re-establish sessions due to network interruption. IPSec sessions are bound by IP address however, providing protection against authentication replay attacks.

Update: NCP has release a statement (pdf) confirming they are not affected by this vulnerability.

Share This:

Related

Filed Under: Editorial Articles Tagged With: Software vulnerabilities

Comments

  1. Bruce Briggs says

    April 25, 2019 at 7:38 am

    How come you did not mention the ShrewSoft IPSec VPN client, which is recommended my WG?

    Reply
    • Marc Laliberte says

      April 25, 2019 at 9:27 am

      Hey Bruce,

      It looks like we have a KB that needs updating. While we still maintain interoperability with the Shrew client, it isn’t something I’d recommend using as it hasn’t received an update in well over 5 years and only supports up to Windows 8, which is now moving through End-of-Support from Microsoft.

      -Marc

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Cybersecurity’s Toll on Mental Health
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use