A newly discovered set of vulnerabilities, called "NachoVPN," puts unpatched Palo Alto and SonicWall SSL-VPN clients at risk of malicious updates when connecting to rogue VPN servers.

AmberWolf security researchers revealed that attackers could deceive users into connecting their SonicWall NetExtender or Palo Alto GlobalProtect VPN clients to compromised servers. This deception is often carried out using phishing techniques, such as malicious websites or documents.

Once connected to rogue servers, attackers can steal login credentials, execute arbitrary code with elevated privileges, install malicious software, and perform man-in-the-middle attacks by installing fake root certificates.

To address these issues, SonicWall patched the CVE-2024-29014 NetExtender vulnerability in July, two months after being notified in May. Palo Alto Networks released security updates today to fix the CVE-2024-5921 GlobalProtect vulnerability, seven months after the flaw was first reported in April. Users are urged to update to SonicWall NetExtender Windows 10.2.341 or higher and Palo Alto GlobalProtect 6.2.6 or later. Palo Alto also recommends using FIPS-CC mode to mitigate potential threats.

AmberWolf disclosed additional technical details about the vulnerabilities on Tuesday and introduced an open-source tool called NachoVPN.

"The tool is platform-agnostic, capable of identifying different VPN clients and adapting its response based on the specific client connecting to it. It is also extensible, encouraging community contributions and the addition of new vulnerabilities as they are discovered," AmberWolf explained.

The tool currently supports several corporate VPN clients, including Cisco AnyConnect, SonicWall NetExtender, Palo Alto GlobalProtect, and Ivanti Connect Secure, as noted on its GitHub page.

AmberWolf has also released advisories detailing the vulnerabilities, attack vectors, and recommendations to help organizations protect their networks from potential exploitation.