NachoVPN Attack Risks Risks Corporate VPN Clients

NachoVPN Attack Unveiled: Exploiting Corporate VPN Clients

A recent discovery by security researchers has shed light on a new attack vector targeting corporate VPN clients, named “NachoVPN.” This attack method exploits vulnerabilities in popular VPN clients like Palo Alto and SonicWall SSL-VPN, allowing malicious actors to install unauthorized updates on target systems.

The NachoVPN attack, as demonstrated by experts from Amberwolf, involves tricking unsuspecting corporate VPN users into connecting to rogue endpoints controlled by the attackers. This enables them to carry out malicious activities, including stealing sensitive login credentials from compromised systems.

The attack is particularly effective against what the researchers term as “Very Pwnable Networks,” encompassing a wide range of corporate VPN clients. In their research, the experts showcased the NachoVPN attack on two prominent VPN clients: SonicWall NetExtender and Palo Alto Networks GlobalProtect VPN. The modus operandi involves luring users to connect to a malicious endpoint through phishing or social engineering tactics, granting the attackers elevated privileges to execute arbitrary code and conduct other nefarious actions.

A video presentation from HackFest Hollywood 2024 delves into the intricacies of the “Very Pwnable Networks” susceptible to NachoVPN attacks. The researchers have also provided detailed technical advisories on the vulnerability exploits targeting SonicWall and Palo Alto clients.

The researchers have also made the NachoVPN tool available on GitHub for community testing. This tool extends its functionality to other VPN clients like Cisco AnyConnect, in addition to the VPNs featured in the research.

In response to the findings, the affected vendors have promptly released patches to address the vulnerabilities. SonicWall has fixed the SSL VPN NetExtender vulnerability (CVE-2024-29014) with the NetExtender Windows (32 and 64 bit) 10.2.341 update, while Palo Alto Networks has addressed the GlobalProtect app flaw (CVE-2024-5921) with the GlobalProtect App 6.2.6 and later versions.

It is crucial for users to apply these patches to safeguard their devices against potential threats now that the fixes are readily available. Share your insights in the comments section below.