back to article US-Cert alert! Thanks to a massive bug, VPN now stands for 'Vigorously Pwned Nodes'

The US-Cert is raising alarms following the disclosure of a serious vulnerability in multiple VPN services. A warning from the DHS cyber security team references the CMU Cert Coordination Center's bulletin on the failure of some VPN providers to encrypt the cookie files they place onto the machines of customers. Ideally, a …

  1. This post has been deleted by its author

  2. Tom Chiverton 1

    What ?

    What ?!?

    VPNs don't have 'session cookies'. That's a HTTP thing. Are you talking about proxies ?

    Even where the underlying PtP or whatever link needs a session-like construct, these are *of course* exposed if the attacker owns the end point ? So. Umm.

    1. ds6

      We're talking about "value-added" corporate-level VPN applications here, not simpler solutions.


      VPN endpoints...

      a lot of TLS VPN's don't even check a certificate is correct they simply check its valid...

      that combined with no DNSSEC for hosting domain means if a user connects on a compromised network they can spoof the name and certificate...

  3. Kevin McMurtrie Silver badge

    Easy fix

    Encrypt the session token.

    Encrypt the key for the encrypted session token.

    Encrypt the key for the key for the encrypted session token.


    Name decryption method "pink_bunnies" so the symbol table isn't too revealing.

    1. whitepines Silver badge

      Re: Easy fix

      Name decryption method "pink_bunnies" so the symbol table isn't too revealing.

      Not "white rabbit"?

    2. Fred Flintstone Gold badge

      Re: Easy fix

      Try "π in the bottom righthand corner" - most of these hackers are too young to recognise the reference to a 1995 movie that was *well* ahead of its time..

      1. JJKing

        Re: Easy fix

        Curse you Fred Flintstone. I hope BamBam get Pebbles up the duff coz I was going to bed after reading these comments now I am stuck trying to remember what the Ghost name was in that movie.

        Victory is MINE!! Mozart's Ghost. Now off to see Mr Sandman. Wasn't Sandra Bullock in that movie? Damn, should use Google......

      2. whitepines Silver badge

        Re: Easy fix

        most of these hackers are too young to recognise the reference to a 1995 movie that was *well* ahead of its time..

        And now I suddenly feel old. Thanks for that.

        Much of what the movie got right they took from the books as far as I recall. Though you still have to give credit, they actually brought in a real connection machine (programmed to have the lights show rather usesless patterns, but still, it was a real, working, large computer in a Hollywood movie). They even showed compilation taking a very long time (predating the xkcd on this subject by a large margin) and hacking (trying to work out what the white rabbit object did) not really working (none of this modern "mash keyboard to show "HACKING ALERT" and get all the encrypted files in seconds). No, it was more of a needing to read the compiled assembler and core dumps, by which time everyone would be eaten by the rather live and now loose "attractions".

        Then they did the cringeworthy "this is UNIX, I know this!" scene. Talk about whiplash...

  4. John Smith 19 Gold badge

    There are *no* shortcuts if you want full privacy and security.

    I doubt "Should we encrypt the session cookies" was even a question at these companies.

    I'd guess the chain of "logic" the developer(s) would have gone something like this

    "Almost no one knows what these are, so on one will look for them and beside, they are on the end users machine"

    Forgetting that "Almost no one" would include any competent Black hat on the planet.

    Good developers would have this on their "Stuff not to do when developing a security application" checklist.

    Bad developers don't have a checklist to start with. Part of what makes them bad developers.

    1. Anonymous Coward Silver badge

      Re: There are *no* shortcuts if you want full privacy and security.

      If the end user's machine is compromised enough to leak the cookie, leaking the cookie is irrelevant.

    2. JoelLkins

      Re: There are *no* shortcuts if you want full privacy and security.

      > I'd guess the chain of "logic" the developer(s) would have gone something like this

      > "Almost no one knows what these are, so on one will look for them and beside, they are on the end users [sic] machine"

      The chain of "logic" more likely went something like this:

      Developer: I'll need three weeks to fully implement this

      Manager: Do it in one! Marketing is saying we need to launch before next week.

      Developer: But it will leave certain parts dangerously vuln--

      Manager: Quit arguing and get back to work. We release in a week.

      Developer: But--

      Manager: (glares)

      Developer: sigh

  5. Bobsage1

    This is not something new. Many VPNs use the logic that this is okay because if someone already has access to your file system you're screwed anyway. I have always disagreed because certain malware may only have one function to steal passwords. Especially when used by script kiddies. This would protect against such attacks.

  6. Kiwi



    I was asked to try out NordVPN for someone a while back, and they even pay for my account. I check it from time to time.

    A few days back I noticed on one machine that no matter what it would not connect to their servers. Tested others, and still had no such luck.

    Turns out there was an update in the class of "must be done to connect" (vs others which have been "If and when you want to, no biggie no rush".

    I wonder if that was due to this?

    1. Sir Runcible Spoon

      Re: Nord..

      For a second there I thought you'd missed off the leading 'F'

  7. FlamingDeath Silver badge

    If you want secure VPN, home bake

    1. Yet Another Anonymous coward Silver badge

      Or at least use OpenVPN not some magic secret sauce corporate crap

      1. Sandtitz Silver badge

        OpenVPN has had its buffer overflows and other vulns in the past, it's not the magic sauce either.

        I prefer IKEv2, which is built-in in most operating systems.

        1. ds6
          Paris Hilton

          Can you elaborate? What would make it better than say Wireguard?

          1. Sandtitz Silver badge


            I have not used Wireguard, but let's see...

            - IKEv2 is built-in in most operating systems, which is the biggest reason why I wouldn't use Wireguard. Android for some reason doesn't have IKEv2 built-in. I'd rely on either OpenVPN or 3rd party IKEv2 software then.

            - No firewall appliance (that I know of) offers Wireguard VPN connections. IKEv2 is not universally adopted by all firewalls either but it's getting there - especially since all (?) modern firewalls support IKEv2 tunneling.

            - IKEv2 can use AES which is accelerated by all current CPUs whereas ChaCha in Wireguard is software driven. Not that important feature if the VPN connection is over slow links (<10Mbps)

            - IKEv2 is a standard, and based on the earlier proven technology, namely IKE(v1). According to the Wireguard website: "WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change."

            I have nothing against Wireguard but at the moment I wouldn't use it for anything except my personal connections, not something I would implement for my clients.

    2. JoelLkins

      Everyone knows security software is easy to write! Even a 10 year old can do it!

  8. -tim

    Stateless firewalls are the core problem

    Most so called stateful firewalls only look at TCP state so if the packet says its not new, it gets handed off through the firewall. Things like VPNs and VOIP tend to use stateless protocols so most firewalls don't do a proper stateful firewall with those packets. Most VPN software inserts packets on the trusted side of firewalls so there will be no end of security issues. Add in the fact that nearly no one checks for IPv6 even though it is on for nearly every bit of hardware around these days mean the old days of Untrusted/DMV/Trust network design was obsolete two decades ago. A modern firewall must be truly stateful (based on its own idea of state, not bits in the packet) and zone based (using names for groups of interfaces no matter what the ip addresses or vlan) or else these issues will keep showing up.

  9. JeffyPoooh

    Malware would need to know where...

    "The malware would also need to know exactly where to look on the machine in order to get the cookies."

    The malware "needs" to know, in advance? It couldn't be programmed to execute a clever search within the most likely folders?

    1. Aodhhan

      Re: Malware would need to know where...

      Scraping cookie information isn't difficult to do. Most browsers cache them.

      If your browser has developer tool features--you can pull the session cookies from it as well.

      Most malware built to spy/watch what's going on with a browser is going to collect all cookies--not just session cookies.

  10. arctic_haze

    A wizard should know better

    But the real wizards are dead or retired now.

    1. MacroRodent Silver badge

      Re: A wizard should know better

      Or sailed to the West from the Grey Havens.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021