Page 1 of 1

About Recent VPN vulnerabilities announcement from CISA.

Posted: Tue Apr 16, 2019 6:56 pm
by satoshi.isomatsu
Hi

You may have heard of Friday’s announcement (April 11th 2019) from the United States Department of Homeland Security, warning of a security bug in several of the leading enterprise virtual private network security applications.

www.us-cert.gov/ncas/current-activity/2 ... plications
www.kb.cert.org/vuls/id/192371/

Does this affect to the SoftEther VPN?


Regards,

Affected by vulnerability?

Posted: Wed Apr 17, 2019 8:34 pm
by DalTech
Is Softether affected by this vulnerability?

"On Thursday, April 11, researchers from the Carnegie Mellon University Software Engineering Institute published a global vulnerability regarding virtual private network (VPN) applications storing authentication and/or session cookies insecurely in memory and/or log files."

Articles:

https://www.kb.cert.org/vuls/id/192371/

https://securityaffairs.co/wordpress/83 ... flaws.html

Re: About Recent VPN vulnerabilities announcement from CISA.

Posted: Tue Jun 04, 2019 9:47 am
by cedar
Not exactly the same, but there may be similar problem.
Session keys are stored in the VPN Server log, so anyone who can access the VPN server log can hijack the session.