Researchers from AmberWolf have identified vulnerabilities, collectively named "NachoVPN," in SonicWall and Palo Alto SSL-VPN clients. These flaws allow attacker-controlled VPN servers to deliver malicious updates when unsuspecting users connect.
Threat actors can lure victims into connecting their SonicWall NetExtender or Palo Alto GlobalProtect VPN clients to rogue servers through phishing schemes or malicious links. Once connected, attackers can execute code with elevated privileges, install malware, steal credentials, or intercept communications using fake root certificates.
SonicWall patched the CVE-2024-29014 vulnerability in July, advising users to upgrade to NetExtender version 10.2.341 or higher. Palo Alto addressed CVE-2024-5921 with updates for GlobalProtect (version 6.2.6 or later) released seven months after disclosure, while also recommending FIPS-CC mode as a mitigation.
AmberWolf released an open-source NachoVPN tool to simulate rogue servers exploiting these vulnerabilities and encourage community collaboration. The tool supports multiple VPN clients, including Cisco AnyConnect and Ivanti Connect Secure, and is extensible for future threats.
Security advisories with technical details and protection recommendations have been shared to help organizations defend against such attacks.
Read more...