Researchers have identified a new attack strategy that allows malicious updates to be installed on target systems. Dubbed “NachoVPN,” the attack targets corporate clients, such as Palo Alto and SonicWall SSL-VPN clients, by exploiting unpatched vulnerabilities.
NachoVPN Attack Allows Malicious Updates
Researchers from Amberwolf have demonstrated a new attack targeting corporate VPN clients. The “NachoVPN” attack enables adversaries to trick corporate VPN clients into connecting to rogue endpoints. Eventually, it empowers the attackers to perform various malicious actions, such as stealing login credentials from the target systems.
Specifically, the attack works against most corporate VPN clients, which the researchers call “Very Pwnable Networks.” In their study, the researchers demonstrated the attack against two popular VPN clients: SonicWall NetExtender and Palo Alto Networks GlobalProtect VPN. In brief, the attack requires an adversary to trick the target user into connecting to an attacker-controlled endpoint via phishing or social engineering. Once done, the attackers could gain elevated privileges to execute arbitrary codes and perform other malicious activities.
The following video from HackFest Hollywood 2024 includes details about the “Very Pwnable Networks” that the researchers could target with NachoVPN. They have also shared technical details about the vulnerability exploits in separate advisories for SonicWall and Palo Alto clients.
The researchers also released the NachoVPN tool on GitHub for the community to test. This tool works for more VPN clients, such as Cisco AnyConnect, in addition to the two VPNs demonstrated in the study.
Following the report, the vendors patched the vulnerabilities accordingly. Specifically, SonicWall patched the vulnerability affecting its SSL VPN NetExtender, CVE-2024-29014, with NetExtender Windows (32 and 64 bit) 10.2.341. Likewise, Palo Alto Networks also addressed the flaw affecting its GlobalProtect app, CVE-2024-5921, with GlobalProtect App 6.2.6 and higher releases.
While the vendors took time to address the issues, the patches are now available for the users. Hence, all users must update their devices to avoid potential threats.
Let us know your thoughts in the comments.