NachoVPN Tool Exploits Flaws in Popular VPN Clients for System Compromise
Summary:
Researchers have disclosed significant vulnerabilities in Palo Alto Networks GlobalProtect and SonicWall SMA100 NetExtender VPN clients for Windows, macOS, and Linux, which could enable attackers to execute remote code and gain elevated access. These flaws exploit the inherent trust VPN clients place in servers, making it possible for attackers to manipulate client behavior with minimal user interaction. A proof-of-concept tool named NachoVPN was developed to demonstrate how rogue VPN servers could exploit these vulnerabilities to deliver malicious updates, execute privileged code, and compromise systems.
One of the vulnerabilities, CVE-2024-5921, is an insufficient certificate validation issue in Palo Alto Networks GlobalProtect, with a CVSS score of 5.6. It allows clients to connect to rogue servers, leading to the deployment of malicious software. This flaw impacts versions for Windows, macOS, and Linux and has been patched in version 6.2.6 for Windows. Another critical flaw, CVE-2024-29014, affects SonicWall SMA100 NetExtender with a CVSS score of 7.1. This vulnerability allows arbitrary code execution during End Point Control (EPC) client updates, particularly in versions 10.2.339 and earlier. The issue has been resolved in version 10.2.341.
The attack scenarios exploit weaknesses in how these VPN clients validate server connections and handle updates. Palo Alto Networks notes that exploiting the GlobalProtect vulnerability requires attackers to have local non-administrative access to the target system or be on the same subnet. They could then install malicious root certificates to facilitate unauthorized software installation. Once exploited, GlobalProtect can be weaponized to steal VPN credentials, execute privileged code, and install certificates that enable further attacks.
Analyst Comments:
For SonicWall NetExtender, attackers can exploit a custom URI handler to force clients to connect to malicious VPN servers. From there, they can deliver counterfeit EPC updates signed with valid-but-stolen certificates, enabling SYSTEM-level code execution. This attack requires minimal user interaction, such as visiting a malicious website, clicking on a browser prompt, or opening a compromised document.
MItigation:
The vulnerabilities remain concerning due to their potential impact. While there is no evidence that these flaws have been exploited in the wild, the risks underscore the importance of applying security patches. Users are strongly advised to update to the latest versions of Palo Alto Networks GlobalProtect and SonicWall NetExtender to mitigate potential threats.
Advisories:
Link(s):
https://thehackernews.com/2024/12/nachovpn-tool-exploits-flaws-in-popular.html
Researchers have disclosed significant vulnerabilities in Palo Alto Networks GlobalProtect and SonicWall SMA100 NetExtender VPN clients for Windows, macOS, and Linux, which could enable attackers to execute remote code and gain elevated access. These flaws exploit the inherent trust VPN clients place in servers, making it possible for attackers to manipulate client behavior with minimal user interaction. A proof-of-concept tool named NachoVPN was developed to demonstrate how rogue VPN servers could exploit these vulnerabilities to deliver malicious updates, execute privileged code, and compromise systems.
One of the vulnerabilities, CVE-2024-5921, is an insufficient certificate validation issue in Palo Alto Networks GlobalProtect, with a CVSS score of 5.6. It allows clients to connect to rogue servers, leading to the deployment of malicious software. This flaw impacts versions for Windows, macOS, and Linux and has been patched in version 6.2.6 for Windows. Another critical flaw, CVE-2024-29014, affects SonicWall SMA100 NetExtender with a CVSS score of 7.1. This vulnerability allows arbitrary code execution during End Point Control (EPC) client updates, particularly in versions 10.2.339 and earlier. The issue has been resolved in version 10.2.341.
The attack scenarios exploit weaknesses in how these VPN clients validate server connections and handle updates. Palo Alto Networks notes that exploiting the GlobalProtect vulnerability requires attackers to have local non-administrative access to the target system or be on the same subnet. They could then install malicious root certificates to facilitate unauthorized software installation. Once exploited, GlobalProtect can be weaponized to steal VPN credentials, execute privileged code, and install certificates that enable further attacks.
Analyst Comments:
For SonicWall NetExtender, attackers can exploit a custom URI handler to force clients to connect to malicious VPN servers. From there, they can deliver counterfeit EPC updates signed with valid-but-stolen certificates, enabling SYSTEM-level code execution. This attack requires minimal user interaction, such as visiting a malicious website, clicking on a browser prompt, or opening a compromised document.
MItigation:
The vulnerabilities remain concerning due to their potential impact. While there is no evidence that these flaws have been exploited in the wild, the risks underscore the importance of applying security patches. Users are strongly advised to update to the latest versions of Palo Alto Networks GlobalProtect and SonicWall NetExtender to mitigate potential threats.
Advisories:
- Palo Alto GlobalProtect - RCE and Privilege Escalation via Malicious VPN Server (CVE-2024-5921)
- SonicWall NetExtender for Windows - RCE as SYSTEM via EPC Client Update (CVE-2024-29014)
Link(s):
https://thehackernews.com/2024/12/nachovpn-tool-exploits-flaws-in-popular.html