A set of vulnerabilities dubbed

New NachoVPN attack uses rogue VPN servers to install malicious updates

submited by
Style Pass
2024-11-27 23:00:04

A set of vulnerabilities dubbed "NachoVPN" allows rogue VPN servers to install malicious updates when unpatched Palo Alto and SonicWall SSL-VPN clients connect to them.

AmberWolf security researchers found that threat actors can trick potential targets into connecting their SonicWall NetExtender and Palo Alto Networks GlobalProtect VPN clients to attacker-controlled VPN servers using malicious websites or documents in social engineering or phishing attacks.

Threat actors can use the rogue VPN endpoints to steal the victims' login credentials, execute arbitrary code with elevated privileges, install malicious software via updates, and launch code-signing forgery or man-in-the-middle attacks by installing malicious root certificates.

SonicWall released patches to address the CVE-2024-29014 NetExtender vulnerability in July, two months after the initial May report, and Palo Alto Networks released security updates today for the CVE-2024-5921 GlobalProtect flaw, seven months after they were informed of the flaw in April and almost one month after AmberWolf published vulnerability details at SANS HackFest Hollywood.

While SonicWall says customers have to install NetExtender Windows 10.2.341 or higher versions to patch the security flaw, Palo Alto Networks says that running the VPN client in FIPS-CC mode can also mitigate potential attacks besides installing GlobalProtect 6.2.6 or later (which fixes the vulnerability).

Leave a Comment