### #NachoVPNExploits #VPNSecurityThreats #RogueVPNServers
Summary: A set of vulnerabilities known as “NachoVPN” allows malicious VPN servers to exploit unpatched Palo Alto and SonicWall SSL-VPN clients, enabling attackers to execute harmful actions on victims’ systems. AmberWolf researchers have developed a tool to simulate these rogue servers and disclosed critical details to aid in defense against such attacks.
Threat Actor: Unknown | Unknown
Victim: Organizations using affected VPN clients | Organizations using affected VPN clients
Key Point :
- AmberWolf identified vulnerabilities in SonicWall NetExtender and Palo Alto GlobalProtect that can be exploited via rogue VPN servers.
- Attackers can steal credentials, execute code, and install malware through these vulnerabilities.
- SonicWall and Palo Alto Networks have released patches, but users must ensure they are using the latest versions to mitigate risks.
- AmberWolf’s NachoVPN tool can simulate rogue servers and is designed to adapt to various VPN clients.
- Technical advisories and recommendations have been published to help organizations defend against these vulnerabilities.
A set of vulnerabilities dubbed “NachoVPN” allows rogue VPN servers to install malicious updates when unpatched Palo Alto and SonicWall SSL-VPN clients connect to them.
AmberWolf security researchers found that threat actors can trick potential targets into connecting their SonicWall NetExtender and Palo Alto Networks GlobalProtect VPN clients to attacker-controlled VPN servers using malicious websites or documents in social engineering or phishing attacks.
Threat actors can use the rogue VPN endpoints to steal the victims’ login credentials, execute arbitrary code with elevated privileges, install malicious software via updates, and launch code-signing forgery or man-in-the-middle attacks by installing malicious root certificates.
SonicWall released patches to address the CVE-2024-29014 NetExtender vulnerability in July, two months after the initial May report, and Palo Alto Networks released security updates today for the CVE-2024-5921 GlobalProtect flaw, seven months after they were informed of the flaw in April and almost one month after AmberWolf published vulnerability details at SANS HackFest Hollywood.
[embedded content]
While SonicWall says customers have to install NetExtender Windows 10.2.341 or higher versions to patch the security flaw, Palo Alto Networks says that running the VPN client in FIPS-CC mode can also mitigate potential attacks besides installing GlobalProtect 6.2.6 or later (which fixes the vulnerability).
On Tuesday, AmberWolf disclosed additional details regarding the two vulnerabilities and released an open-source tool dubbed NachoVPN, which simulates rogue VPN servers that can exploit these vulnerabilities.
“The tool is platform-agnostic, capable of identifying different VPN clients and adapting its response based on the specific client connecting to it. It is also extensible, encouraging community contributions and the addition of new vulnerabilities as they are discovered,” AmberWolf explained.
“It currently supports various popular corporate VPN products, such as Cisco AnyConnect, SonicWall NetExtender, Palo Alto GlobalProtect, and Ivanti Connect Secure,” the company added on the tool’s GitHub page.
AmberWolf also released advisories with more technical information regarding the SonicWall NetExtender and Palo Alto Networks GlobalProtect vulnerabilities, as well as attack vector details and recommendations to help defenders protect their networks against potential attacks.