Vulnerability Overview

On April 14^th, Carnegie Mellon University’s CERT Coordination Center released vulnerability advisory VU#192371, which disclosed security vulnerabilities in several mobile VPN clients from multiple vendors.

In general, the disclosed vulnerabilities involved insecure storage of authentication and session information. Researchers found that some VPN clients stored session cookies unencrypted in log files and in memory. An attacker with access to a system with an active VPN session could potentially scrape valid session information out of memory or log files and replay the session to open a valid VPN connection.