The Department of Homeland Security has issued a warning that some VPN packages from Cisco, Palo Alto, F5 and Pulse may improperly secure tokens and cookies, allowing nefarious actors an opening to invade and take control over an end user\u2019s system.\u00a0\nThe DHS\u2019s Cybersecurity and Infrastructure Security Agency (CISA) warning comes on the heels of a notice from Carnegie Mellon's CERT that multiple VPN applications store the authentication and\/or session cookies insecurely in memory and\/or log files.\n\n\u201cIf an attacker has persistent access to a VPN user's endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods,\u201d CERT wrote. \u201cAn attacker would then have access to the same applications that the user does through their VPN session.\u201d\nAccording to the CERT warning, the following products and versions store the cookie insecurely in log files:\n\nPalo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)\nPulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2.\n\nThe following products and versions store the cookie insecurely in memory:\n\nPalo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0.\nPulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2.\nCisco AnyConnect 4.7.x and prior.\n\nCERT says that Palo Alto Networks GlobalProtect version 4.1.1 patches this vulnerability.\nF5 said it was aware of both vulnerabilities and has issued advisories for both\u00a0CVE-2013-6024and\u00a0CVE-2017-6139. The severity of CVE-2013-6024 is low and F5 provided guidance to customers on how to mitigate. CVE-2017-6139 has been fixed in BIG-IP 12.1.3, 13.1.0 and 13.0.1 and customers can eliminate the vulnerability by upgrading to one of these versions. F5 has not received reports from customers of these vulnerabilities being exploited.\nCERT said it is unaware of any patches at the time of publishing for Cisco AnyConnect.\nPulse said it was notified by CERT with regards to a vulnerability.\u00a0 This vulnerability affects older versions of Pulse Secure Desktop and Network Connect clients. However, Pulse Secure had already fixed this vulnerability in the latest Pulse Desktop Client and Network Connect product. Pulse issued a related Security Advisory to disclose this to the public - Security Advisory \u2013 SA44114.\nCERT credited the National Defense ISAC Remote Access Working Group for reporting the vulnerability.