Security researchers have uncovered serious vulnerabilities in popular corporate VPN clients that could allow attackers to execute malicious code on users' devices through fake VPN servers.
The discovered flaws affect Palo Alto Networks' GlobalProtect App (CVE-2024-5921) and SonicWall's NetExtender VPN client (CVE-2024-29014), potentially exposing users to remote code execution attacks.
In the GlobalProtect App vulnerability, attackers can exploit insufficient certificate validation to connect users to malicious VPN servers. Once connected, these servers can install unauthorized root certificates and malicious software updates that run with system-level privileges.
"Users can be tricked into connecting to rogue VPN servers through social engineering attacks," explained researchers Richard Warren and David Cash from AmberWolf. "These servers can then capture login credentials and compromise systems by pushing malicious client updates."
While Palo Alto Networks has released patches for Windows versions in GlobalProtect app 6.2.6 and later, macOS and Linux versions remain vulnerable. The company recommends enabling FIPS-CC mode as a temporary mitigation.
The SonicWall NetExtender vulnerability affects Windows versions 10.2.339 and earlier, allowing attackers to execute code with system privileges during End Point Control Client updates. Users can be compromised either by connecting to a malicious VPN server or through specially crafted websites and documents that force connections to attacker-controlled servers.
SonicWall has patched this vulnerability in NetExtender Windows version 10.2.341 and strongly recommends users to upgrade immediately.
To demonstrate these vulnerabilities, researchers released NachoVPN - an open-source tool that simulates malicious VPN servers capable of exploiting these flaws.
The discoveries highlight how VPN clients, despite being security tools, can become attack vectors due to their elevated system privileges. Organizations are advised to implement strict update validation and limit VPN connections to known legitimate servers.