Virtual Private Networks(VPNs)are used to create a secure connection with another network over the internet. Multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files. CWE-311:Missing Encryption of Sensitive Data The following products and versions store the cookie insecurely in log files: – Palo Alto Networks GlobalProtect prior to 4.1.0(CVE-2019-15373)- Pulse Secure Connect Secure prior to 8.1R14,8.2,8.3R6,and 9.0R2 The following products and versions store the cookie insecurely in memory: – Palo Alto Networks GlobalProtect prior to 4.1.1 – Pulse Secure Connect Secure prior to 8.1R14,8.2,8.3R6,and 9.0R2(CVE-2019-1573)- Cisco AnyConnect 4.7.x and prior It is likely that this configuration is generic to additional VPN applications. If you believe that your organization is vulnerable,please contact CERT/CC at [email protected] with the affected products,version numbers,patch information,and self-assigned CVE.

%d bloggers like this: