A set of vulnerabilities dubbed “NachoVPN” allows rogue VPN servers to install malicious updates when unpatched Palo Alto and SonicWall SSL-VPN clients connect to them.

AmberWolf security researchers found that attackers can trick potential targets into connecting their SonicWall NetExtender and Palo Alto Networks GlobalProtect VPN clients to malicious VPN servers using malicious websites or documents in social engineering or phishing attacks.

Threat actors can use rogue VPN endpoints to steal the victims’ login credentials, execute arbitrary code with elevated privileges, install malicious software via updates, and launch code-signing forgery or man-in-the-middle attacks by installing malicious root certificates.

SonicWall released patches to address the CVE-2024-29014 NetExtender vulnerability in July, two months after the initial May report, and Palo Alto Networks released security updates today for the CVE-2024-5921 GlobalProtect flaw, seven months after they were informed of the flaw in April and almost one month after AmberWolf published vulnerability details at SANS HackFest Hollywood.

While SonicWall says customers have to install NetExtender Windows 10.2.341 or higher versions to patch the security flaw, Palo Alto Networks says that running the VPN client in FIPS-CC mode can also mitigate potential attacks besides installing GlobalProtect 6.2.6 or later (which fixes the vulnerability).

On Tuesday, AmberWolf disclosed additional details regarding the two vulnerabilities and released an open-source tool dubbed NachoVPN, which simulates rogue VPN servers that can exploit these vulnerabilities.

“The tool is platform-agnostic, capable of identifying different VPN clients and adapting its response based on the specific client connecting to it. It is also extensible, encouraging community contributions and the addition of new vulnerabilities as they are discovered,” AmberWolf explained.

“It currently supports various popular corporate VPN products, such as Cisco AnyConnect, SonicWall NetExtender, Palo Alto GlobalProtect, and Ivanti Connect Secure,” the company added on the tool’s GitHub page.

AmberWolf also released advisories with more technical information regarding the SonicWall NetExtender and Palo Alto Networks GlobalProtect vulnerabilities, as well as attack vector details and recommendations to help defenders protect their networks against potential attacks.