VPN apps improperly store authentication tokens and session cookies without encryption. Attackers with local access to user s computer can access authentication and/or session tokens. Cisco, F5 Networks, Palo Alto Networks and Pulse Secure platforms are impacted. No patches appear to be available yet for Cisco AnyConnect, which stores the cookies in log files and in memory, according to the U.S. government advisory. The warning comes after a public disclosure by CERT/CC, the vulnerability disclosure center at Carnegie Mellon University.
Source: https://threatpost.com/authentication-bypass-bug-enterprise-vpns/143781/