Virtual private networks (VPNs) are considered a safe remote access method. But are they? Known vulnerable VPN phone apps and enterprise solutions underscore the risk in using VPN applications. For example, an in-depth analysis of 283 mobile VPNs on the Google Play store by Australia's Commonwealth Scientific and Industrial Research Organization found significant privacy and security limitations in a majority of the services.
Things aren’t any better in corporate VPN software. Recently attackers have targeted VPN platforms. Some are targeting telecommunications, software and defense industries. Their command-and-control servers hide in public social profiles hosting malware configuration strings, thus making it extremely hard to detect the compromised systems. Once the attackers steal passwords into VPNs, they move further inside the network using Remote Desktop Protocol (RDP). Lateral movement is also done using Mimikatz, PWDump and WDigest credential harvesting.
The vulnerabilities allow an attacker to retrieve files, including those containing authentication credentials, usually through remote code execution (RCE). Then the attacker can use the harvested credentials to connect to the VPN. Once in they can change configuration settings or laterally pivot and connect to further internal infrastructure.
Known pre- and post-auth RCE vulnerabilities in enterprise VPNs
In July 2019, the Orange Tsai and Meh Change discussed pre-auth RCE vulnerabilities at the BlackHat conference in Las Vegas. They noted that SSL VPN is used in corporate networks and is highly trusted. Few SSL vendors dominate the market and are often not updated on remote locations.
Once the attackers come in through the VPN, they then use other methods to harvest user accounts and gain lateral movement in the network. In the case of Office 365, they use an attack tool called “Ruler” to then use Exchange Web Services.
The known RCE vulnerabilities in popular enterprise VPN solutions include:
Pulse Connect Secure
- CVE-2019-11510--pre-auth arbitrary file reading: An unauthenticated remote attacker can craft and send a Uniform Resource Identifier (URI) to read files. This vulnerability affects Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
- CVE-2019-11539--post-auth command injection: The admin web interface allows an authenticated attacker to inject and execute commands. This vulnerability affects Pulse Secure PCS version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1.
Fortinet FortiOS
- CVE-2018-13379--pre-auth arbitrary file reading: A path traversal vulnerability under SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests. This vulnerability affects Fortinet FortiOS 6.0.0 to 6.0.4 and 5.6.3 to 5.6.7.
- CVE-2018-13382: Allows an unauthenticated attacker to change the password of an SSL VPN web portal user via specially crafted HTTP requests. This vulnerability affects Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8, and 5.4.1 to 5.4.10.
- CVE-2018-13383--post-auth heap overflow: This allows an attacker to gain a shell running on the router. A heap buffer overflow in the SSL VPN web portal can terminate SSL VPN web service for logged-in users due to a failure to properly handle Javascript href data when proxying web pages. Affects all Fortinet FortiOS versions below 6.0.5.
Palo Alto GlobalProtect Portal
- CVE-2019-1579: RCE might allow an unauthenticated remote attacker to execute arbitrary code. This vulnerability affects PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier with GlobalProtect Portal or GlobalProtect Gateway Interface enabled.
Tips to mitigate risk from enterprise VPN
Don’t assume that VPN applications make you more secure. At times you are introducing more risk, not less. Follow this advice to minimize that risk:
- Review the VPN log files for evidence of compromised accounts in active use.
- Look for connections in odd times and other unusual events that need more investigation.
- Ensure that you can patch and maintain the remote access.
- Add multi-factor authentication (MFA) when using VPN.
- Review the end-user license agreements and examine the reviews before purchasing a VPN solution. Ask around to trusted forums for advice and guidance on VPN solutions.
- Make sure you can update and service the application even on remote locations.
- Provide guidance and education to users on how to properly use VPN.
Don’t forget to sign up for TechTalk from IDG the new YouTube channel for tech news of the day.