AmberWolf Launches NachoVPN Tool to Tackle VPN Security Risks

Researchers reveal major vulnerabilities in popular corporate VPN clients, allowing remote attacks. Discover the NachoVPN tool and expert advisories to mitigate these critical security risks.

In a recent presentation at SANS HackFest Hollywood 2024, cybersecurity researchers at London, England-based firm AmberWolf have revealed critical security vulnerabilities in widely used corporate Virtual Private Network (VPN) clients allowing attackers to target macOS and Windows systems.

These vulnerabilities, found in both traditional SSL-VPN clients and modern Zero Trust solutions, could be exploited by attackers to gain remote code execution and elevated privileges on end-user devices.

The researchers found that VPN clients, while essential for secure remote access, often have deep system access. This makes them attractive and possibly a lucrative target for hackers.

The main problem lies in how these clients trust VPN servers. Attackers can create malicious VPN servers that exploit this trust, allowing them to run commands and gain administrator-level access to a user’s computer with little to no user interaction.

****NachoVPN****

To help the security community understand and mitigate these risks, the researchers have released NachoVPN, an open-source tool that simulates the attack scenarios discussed in their presentation. This tool acts as a malicious VPN server and shows how it can exploit weaknesses in different VPN clients. NachoVPN is designed to be easy to use and can be adapted to test for new vulnerabilities as they are discovered.

_“_NachoVPN serves as a proof-of-concept tool to simulate rogue VPN servers capable of exploiting these vulnerabilities, AmberWolf researchers wrote in their blog post. “It showcases how insecure behaviours in VPN clients can be leveraged to gain privileged code execution.“

Alongside NachoVPN, the researchers have published detailed advisories documenting the specific vulnerabilities disclosed during their presentation. These advisories provide technical descriptions, attack vectors, and mitigation recommendations to help organizations protect themselves against these threats.

****Vulnerabilities****

The vulnerabilities affect popular corporate VPN clients, including Palo Alto GlobalProtect and SonicWall NetExtender for Windows. The advisories, identified as CVE-2024-5921 and CVE-2024-29014, highlight the risks of remote code execution and privilege escalation via malicious VPN servers.

****NachoVPN on GitHub****

For more information about NachoVPN and the disclosed vulnerabilities, interested parties can visit the project’s GitHub repository and review the detailed advisories. The researchers’ presentation from SANS HackFest Hollywood 2024 is also available on the SANS YouTube channel, providing further insights into their findings and recommendations.

1. ASUS and NordVPN Partner to Integrate VPN into Routers
2. Hackers Calling Employees to Steal VPN Logins from Firms
3. Ivanti VPN Flaws Exploited by DSLog Backdoor, Crypto Miners
4. Cisco Fixes High-Severity Code Execution, VPN Hijacking Flaws
5. Hackers Use Stolen VPN Access against Ivanti Users Despite Patches