About Recent VPN vulnerabilities announcement from CISA.

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
satoshi.isomatsu
Posts: 6
Joined: Tue Apr 16, 2019 6:33 pm

About Recent VPN vulnerabilities announcement from CISA.

Post by satoshi.isomatsu » Tue Apr 16, 2019 6:56 pm

Hi

You may have heard of Friday’s announcement (April 11th 2019) from the United States Department of Homeland Security, warning of a security bug in several of the leading enterprise virtual private network security applications.

www.us-cert.gov/ncas/current-activity/2 ... plications
www.kb.cert.org/vuls/id/192371/

Does this affect to the SoftEther VPN?


Regards,

DalTech
Posts: 1
Joined: Wed Apr 17, 2019 8:21 pm

Affected by vulnerability?

Post by DalTech » Wed Apr 17, 2019 8:34 pm

Is Softether affected by this vulnerability?

"On Thursday, April 11, researchers from the Carnegie Mellon University Software Engineering Institute published a global vulnerability regarding virtual private network (VPN) applications storing authentication and/or session cookies insecurely in memory and/or log files."

Articles:

https://www.kb.cert.org/vuls/id/192371/

https://securityaffairs.co/wordpress/83 ... flaws.html

cedar
Site Admin
Posts: 2070
Joined: Sat Mar 09, 2013 5:37 am

Re: About Recent VPN vulnerabilities announcement from CISA.

Post by cedar » Tue Jun 04, 2019 9:47 am

Not exactly the same, but there may be similar problem.
Session keys are stored in the VPN Server log, so anyone who can access the VPN server log can hijack the session.

Post Reply