Security Vulnerability in VPN Client Applications

A serious security vulnerability has been reported in multiple vendor VPN client applications.
 
These client VPN applications are utilized to allow a remote computer user to securely access an enterprise network via a "virtual private network" connection.
 
GWU utilizes the Cisco AnyConnect VPN application for providing remote users "virtual private" access to the GWU network. The Cisco AnyConnect application is one of the affected products.
 
As of today, the following vendors are believed to be affected by this vulnerability:
  • Palo Alto Networks
  • Pulse Secure
  • Cisco
  • F5 Networks
The vulnerability lies in the way these applications store the authentication and/or session token or cookie. Each of these applications do not encrypt these session tokens before storing them on the user's computer. This insecure storage of the authentication token potentially allows for an attacker to bypass authentication on the user's device, allowing them the same access to the enterprise network as the compromised user.
 
The Cisco AnyConnect VPN client in use by GWU stores the authentication tokens in computer memory, not in a log file. This somewhat reduces the facility in how an attacker can compromise the user credentials. Additionally, Cisco has reported that the session tokens are destroyed upon application termination.
 
At this time, Cisco has not provided any further details or security patches pertaining to this vulnerability. We will provide further information as it becomes available.
 
Affected versions:
This vulnerability affects Cisco AnyConnect version 4.7.x and prior.
 
Remediation:
In the absence of any patch or security update, it is recommended that all users of the Cisco AnyConnect VPN client terminate their session and close the application after use.  
Do not leave the session connected allowing for the timeout to terminate the session.
While this is not ideal, it somewhat minimizes the exposure of the memory resident session tokens to only the time the application is running.
 
When a security patch is provided by Cisco, we will send out another notification.
 
Reference: