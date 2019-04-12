Some Enterprise VPN Apps Store Authentication/Session Cookies Insecurely (zdnet.com) 11
At least four Virtual Private Network (VPN) applications sold or made available to enterprise customers share security flaws, warns the Carnegie Mellon University CERT Coordination Center (CERT/CC) and the Department of Homeland Security's Computer Emergency Response Center (US-CERT). From a report: VPN apps from Cisco, F5 Networks, Palo Alto Networks, and Pulse Secure are impacted, CERT/CC analyst Madison Oliver said in a security alert published earlier today, echoed by the DHS' US-CERT. All four have been confirmed to store authentication and/or session cookies in an non-encrypted form inside a computer's memory or log files saved on disk.
USG (Score:2)
I was being ironic, but seriously... would you be surprised, knowing what we know today ?
How to avoid storing active auth tokens in memory? (Score:1)
CERT Vulnerability Note VU#192371 [cert.org]
Writing passwords or authentication tokens to log files is just dumb.
(And makes you wonder about development and review processes at the guilty companies and their customers.)
But what does "store the [authentication and/or session] cookie insecurely in memory" mean? How do you avoid that for DTLS or VPNs that maintain connections transparently as you roam across networks?
log file issues, I see it litterally all the time (Score:3)
I see logging issues in lots of software I test. Developers do things like the pseudo code below:
Try
...
Catch 3rdPartyLibrary::SomeExceptionType => e
$LOGGER.log(LOGGER::ERROR, 'Something went wrong in module XYZ:' + e.message)
re-raise(e)
End Try
They will make statement to you if you ask them like "We never put sensitive information in log files." but they haven't the foggiest idea of messages the various messages that 3rdPartyLibrary might actually put into its exception messages.
The thing I see most is various data layer things be they libraries that call web apis, or database objects, etc; where stuff happens like; 'Something went wrong in user create: INSERT failed for
..., key violation PKEY:FullName,SSN for "Frank Grimes", 666-66-6666'
And just like that your logs now have to be treated as PII
Planting the seeds for the future.... (Score:2)
Their developers are smart - they've now got job security later on, after this gig goes belly up - then they can work for the Government or the piracy pigs and get paid an every bigger bounty selling their customers out.
Its the new American way; like banking at Wells Fargo, Financing a Chevy, flying Boeing, or having fire and flood insurance that didnt pay after of years of overbuying medical, earthquake and auto coverage... Damned if you do, damned if you don't,
The customer is way too low on the food chain
In Enterprise software? (Score:2)
You mean software which is sold by slick salesmen to the highest reaches of the C-Suite, with no regard for how it's implemented or used is of truly lackluster quality? Who'd have though?
(Spoiler: me)