SonicWall VPN Clients Not Affected by Session Cookie Vulnerability

On Thursday, April 11, researchers from the Carnegie Mellon University Software Engineering Institute published a global vulnerability regarding virtual private network (VPN) applications storing authentication and/or session cookies insecurely in memory and/or log files.

At this time, SonicWall is not aware of any situation where a currently valid session token is written to log files outside of very specific debug configurations, which are being eliminated as a precaution to prevent any potential misuse.

As such, SonicWall customers using IPSEC VPN clients (e.g., Global VPN Client) or SSL-VPN clients (e.g., Connect Tunnel, NetExtender, Mobile Connect) in their default non-debug mode are not affected.

It should be noted that storage of the session cookie within VPN client process memory, during an active session, is not considered unwarranted exposure. By design, values within the session cookie are required to maintain session operation if re-establishment is required due to network interruption. In such a scenario, all session material stored by the clients are destroyed once the session is terminated.

We will communicate future updates for this vulnerability via SonicWall Security Advisory SNWLID-2019-0005.