Cisco this week acknowledged that its VPN application stores session cookies within system memory, but said the exposure associated with this activity isn't 'unwarranted.'
The CERT Coordination Center at Carnegie Mellon University announced last week that Cisco AnyConnect 4.7.x and prior store session cookies insecurely in memory. CERT also reported similar VPN application vulnerabilities in products from Palo Alto Networks, F5 Networks, and Pulse Secure, and said the vulnerability could enable a threat actor to take control of a user's applications.
The networking giant admitted that the Cisco AnyConnect VPN product stores session cookies within system memory to support resumption of clientless VPN sessions, according to a post by Omar Santos, principal engineer of Cisco's product security incident response team.
The storage of the session cookie within process memory of the client - and in cases of clientless sessions, the web browser - while the sessions are active are not considered to be unwarranted exposure," Santos wrote.
Specifically, Santos said the storage of session cookies within system memory is required to maintain the operation of the session in the event that re-establishment is required due to network interruption. Any session material stored by the Cisco AnyConnect client or clientless products is destroyed once the session is deliberately terminated by the client, according to Santos.
Cisco has documented the concerns raised by CERT, Santos said, and said the company's engineering teams will incorporate the feedback into discussions around future Cisco AnyConnect design improvements.
The company additionally determined that Cisco AnyConnect isn't vulnerable to writing a currently valid session token into log files. CERT had expressed concerns about Palo Alto Networks, Pulse Secure, and F5 Networks products storing session cookies insecurely in log files, but hadn't taken issue with Cisco's log storage technique.
If an attacker has persistent access to a VPN user's endpoint or exfiltrates the cookie using other methods they could replay the session and bypass other authentication methods, according to CERT. An attacker with a stolen token would have access to the same company apps, systems and data as a legitimate user does through their VPN session, CERT said.
CERT said that VPN applications from Check Point Software Technologies, LANCOM Systems, and pfSense were not affected by this vulnerability. The status of VPN applications from more than 200 other vendors, however, remains unknown, according to CERT.