Some Enterprise VPN Apps Store Authentication/Session Cookies Insecurely

At least four Virtual Private Network (VPN) applications sold or made available to enterprise customers share security flaws, warns the Carnegie Mellon University CERT Coordination Center (CERT/CC) and the Department of Homeland Security's Computer Emergency Response Center (US-CERT). From a report: VPN apps from Cisco, F5 Networks, Palo Alto Networks, and Pulse Secure are impacted, CERT/CC analyst Madison Oliver said in a security alert published earlier today, echoed by the DHS' US-CERT. All four have been confirmed to store authentication and/or session cookies in an non-encrypted form inside a computer's memory or log files saved on disk.

log file issues, I see it litterally all the time

[DarkOx]

I see logging issues in lots of software I test. Developers do things like the pseudo code below:

Try ...
Catch 3rdPartyLibrary::SomeExceptionType => e
$LOGGER.log(LOGGER::ERROR, 'Something went wrong in module XYZ:' + e.message)
re-raise(e)
End Try

They will make statement to you if you ask them like "We never put sensitive information in log files." but they haven't the foggiest idea of messages the various messages that 3rdPartyLibrary might actually put into its exception messages.

The thing I see most is various data layer things be they libraries that call web apis, or database objects, etc; where stuff happens like; 'Something went wrong in user create: INSERT failed for ..., key violation PKEY:FullName,SSN for "Frank Grimes", 666-66-6666'

And just like that your logs now have to be treated as PII