Multiple VPN Solutions Were Found to be Storing User Data Insecurely

• Four VPN solutions offered by respected vendors are found to contain severe vulnerabilities.
• The flaws concern the way these products store user data on local logs or server memory storage.
• Out of the six vendors tested, four were found to be problematic, but there are at least 230 more.

People are using VPN (Virtual Private Network) applications to achieve ultimate levels of privacy, security, and unrestricted internet access. TechNadu promotes the use of these tools as we believe that they are giving back internet users the anonymity and freedom that they should be enjoying in the first place. However, and as it has been highlighted many times in the past, not all VPN solutions work in the way users expect them to, or in accordance with the vendors’ promises. Today is one of those times, when news of popular VPN apps that store user information insecurely surface, causing a stir and often leading to the depreciation of the whole concept.

As unveiled by researchers of the Software Engineering Institute of the Carnegie Mellon University, and discovered by the National Defense ISAC community, there are quite a few VPN solutions out there that are storing the user authentication and session cookies in unprotected and unencrypted memory and log files. What this means is that it would be practically possible for a malicious actor to both retrieve these files through the usual exfiltration methods, and then to straight-away read their contents. The fact that the researchers have focused on enterprise-level VPN applications make the situation even worse, as large companies with highly sensitive data are targeted by hackers all the time.

The VPN products that were confirmed to be vulnerable are the following:

• Cisco AnyConnect 4.7 and older
• F5 Networks 12.1.3 and prior, and 13.1.0 and prior, on the corresponding branches
• Palo Alto Networks GlobalProtect Agent 4.1.1 and previous versions, for macOS or Windows
• Pulse Secure Connect Secure 8.1R14, 8.2, 8.3R6, and 9.0R2 and prior, on the corresponding branches

The vendors have been notified by the researchers, but none of them have given any response to the presented vulnerabilities. The F5 Networks has already published relevant articles on their website about the insecure log and memory storage, since 2013, and again in 2017.

Not all of the vendors that were tested were found to contain the above vulnerabilities, as products from Check Point Software Technologies and those by pfSense were found not to be affected by those severe security problems. However, there are more than two hundred vendors that offer commercial-grade VPN products, and many of them are bound to be plagued by insecure user data storage methods. As there’s no way to tell which is safe and which is not right now, users are advised to use two-factor authentication to login to their VPN client and even enable one-time-password. Of course, updating to the latest version of the product you’re using goes without saying.

Do you trust your data with a VPN solution, and if yes, which one? Let us know in the comments section below, and help us spread the news to more people out there by sharing this post through our socials, on Facebook and Twitter.