NachoVPN Attack Exploits RCE Vulnerabilities in SonicWall & Palo Alto VPNs


In a study examining popular corporate VPN clients, including traditional SSL-VPN clients and modern Zero Trust solutions, researchers uncovered vulnerabilities in the trust relationships between these VPN clients and their servers. These flaws demonstrated how attackers could exploit the tools to easily gain privileged access.

By focusing on the implicit confidence that VPN clients have in servers, attackers are able to modify client behavior, execute arbitrary commands, and get high levels of access.

AmberWolf has announced the release of NachoVPN, an open-source application that demonstrates attack scenarios to help security professionals identify and prevent these threats.

NachoVPN is a proof-of-concept tool for simulating rogue VPN servers that can exploit these vulnerabilities. It demonstrates how privileged code execution may be obtained by taking advantage of unsafe VPN client behaviors.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

“The tool is platform-agnostic, capable of identifying different VPN clients and adapting its response based on the specific client connecting to it. It is also extensible, encouraging community contributions and the addition of new vulnerabilities as they are discovered”, the company said.

NachoVPN Attack

The Palo Alto Networks GlobalProtect app has a vulnerability identified as CVE-2024-5921 that allows attackers to connect the app to an arbitrary server due to inadequate certification validation. 

This may make it possible for an attacker on the same subnet or a local non-administrative operating system user to install malicious root certificates on the endpoint and then malicious software signed by the malicious root certificates on that endpoint.

This issue is fixed in GlobalProtect app 6.2.6 and all later GlobalProtect app 6.2 versions on Windows.

Palo Alto Networks added that by using the GlobalProtect app 6.0 in FIPS-CC mode or GlobalProtect app 5.1 in FIPS-CC mode, you can mitigate the issue on all platforms (Windows, macOS, Linux, iOS, and Android).

Further, a flaw identified as CVE-2024-29014 in the SonicWALL NetExtender VPN client for Windows, version 10.2.339 and below, enables remote code execution (RCE) with SYSTEM privileges since the EPC Client updates’ signatures are not sufficiently validated.

To mitigate this vulnerability, upgrade to SonicWall NetExtender 10.2.341 or later, which fixes this issue.

NachoVPN’s source code is now accessible on GitHub. It contains a thorough README to help developers and researchers, as well as usage guidelines and sample settings. 

The company stated that they support greater investigation and study in this area, as well as stronger regulations to secure end-user builds and configurations, hence decreasing vulnerability to malicious VPN servers.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar



Source link