Vulnerabilities were discovered in SonicWall NetExtender, CVE-2024-29014, and Palo Alto GlobalConnect, CVE-2024-5921, which can lead to remote code execution (RCE). Continue reading this Cybersecurity Threat Advisory to limit your exposure to these vulnerabilities.
What is the threat?
The vulnerabilities exhibit similar behavior, relying on the user connecting to a malicious server. To exploit this, the threat actor must convince the user to either change their VPN server connection or click on a link containing the malicious URI for the VPN software. Here is an overview of each of the VPN vulnerabilities:
- CVE-2024-29014: The vulnerability impacts SonicWall SMA100 NetExtender Windows client versions 10.2.339 and earlier. It allows an attacker to execute arbitrary code when processing an End Point Control (EPC) Client update.
- CVE-2024-5921: This is an insufficient certificate validation vulnerability that impacts Palo Alto Networks GlobalProtection for Windows, macOS, and Linux. It allows the app to content to arbitrary servers which can lead to malicious software deployment.
Why is it noteworthy?
A new open-source, proof-of-concept (PoC) attack tool, NachoVPN, was released to simulate the exploitation of these vulnerabilities to achieve privileged cost execution. This gives threat actors easy access to learn how to exploit these flaws and a new tool to conduct their own research into other VPN client vulnerabilities in the future.
Additionally, CVE-2024-5921 was first reported in April 2024 and it is still active today. As these vulnerabilities derive from improper certificate verification, these vulnerabilities should have been addressed in the source code during security evaluations earlier.
What is the exposure or risk?
Unlike most VPN-related vulnerabilities, these ones affect the client rather than the server. As a result, many standard security controls applied to VPN servers won’t be effective. Additionally, the exploit is delivered through social engineering, targeting the end user. This creates more complexity to remedy the vulnerabilities.
Clients configured to accept any server are particularly vulnerable, as they lack restrictions like accepting only specific IPs, DNS names, or disallowing user input. Affected versions include all macOS and Linux versions, as well as Windows versions prior to 6.2 and those 6.3 and above.
What are the recommendations?
Barracuda recommends the following actions to limit exposure to these vulnerabilities:
- Limit the user’s ability to choose the VPN endpoint.
- Restrict the application’s ability to reach out to other servers via the host’s firewall.
- Limit the ability to execute untrusted code.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2024/12/nachovpn-tool-exploits-flaws-in-popular.html
- https://blog.amberwolf.com/blog/2024/november/introducing-nachovpn—one-vpn-server-to-pwn-them-all/
- https://github.com/AmberWolfCyber/presentations/blob/main/2024/Very%20Pwnable%20Networks%20-%20HackFest%20Hollywood%202024.pdf
- https://github.com/AmberWolfCyber/NachoVPN
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.
