Novel NachoVPN Attack Delivers Malicious Updates via Rogue VPN Server Exploits

• Rogue VPN servers can install malicious updates via unpatched Palo Alto and SonicWall SSL-VPN client connections.
• Threat actors trick users into connecting to malicious VPN endpoints, probably via phishing.
• SonicWall and Palo Alto Networks have addressed these vulnerabilities in new security advisories.

A set of recently uncovered vulnerabilities, collectively named "NachoVPN," target unpatched versions of the Palo Alto Networks GlobalProtect and SonicWall NetExtender SSL-VPN clients. These vulnerabilities, discovered by AmberWolf, enable rogue VPN servers to install malicious updates on connecting devices. 

Threat actors can exploit NachoVPN vulnerabilities by deceiving users into connecting to malicious VPN endpoints. This is typically achieved through phishing schemes involving malicious websites or compromised documents. 

Once a connection is established, attackers can steal login credentials, execute arbitrary code with elevated privileges, deploy malicious software through fake updates, and install fraudulent root certificates, enabling code-signing forgery or carrying out man-in-the-middle (MITM) attacks.

AmberWolf's analysis highlights how these techniques can have far-reaching consequences for enterprises, potentially compromising sensitive data, disrupting services, and exposing networks to further exploitation.

The vulnerabilities have prompted action from both SonicWall and Palo Alto Networks.

SonicWall patched the CVE-2024-29014 vulnerability in July 2024. Affected users are urged to update to NetExtender Windows 10.2.341 or higher.

Palo Alto Networks released a fix for the CVE-2024-5921 flaw via GlobalProtect 6.2.6, published in early November 2024. Additionally, running the VPN client in FIPS-CC mode offers temporary mitigation.

While patches are now available, the disclosure timeline raises concerns about the delayed vendor response. SonicWall addressed the flaw two months after its initial reporting, while Palo Alto Networks released its patch almost seven months after being informed of the vulnerability, one month following detailed disclosures at SANS HackFest Hollywood.

AmberWolf introduced an open-source tool, also named NachoVPN, designed to simulate rogue VPN servers capable of exploiting these vulnerabilities. According to the researchers, the tool is platform-agnostic and adaptable to various VPN clients, further emphasizing the need for organizations to secure their systems promptly. It presently supports multiple corporate VPN products, including Cisco AnyConnect, SonicWall NetExtender, Palo Alto GlobalProtect, and Ivanti Connect Secure.

AmberWolf encourages collaboration from the cybersecurity community to expand the tool's capabilities and collectively address emergent vulnerabilities.

In other news, a significant vulnerability in Fortinet's FortiClient for Windows allows the DEEPDATA malware to exploit the unpatched security flaw to steal VPN credentials.