Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

End of Bibblio RCM includes -->

7 Ways VPNs Can Turn from Ally to Threat

VPNs are critical pieces of the security infrastructure, but they can be vulnerable, hackable, and weaponized against you. Here are seven things to be aware of before you ignore your VPN.
Previous
1 of 8
Next

VPNs are critical pieces of the enterprise cybersecurity infrastructure. When it comes to protecting data in motion, there's really no good substitute. And that's why it can be so devastating to learn that this mandatory tool can carry vulnerabilities.

Before going any further, it's important to note that nothing here is intended to suggest that your organization ditch its VPNs. Networking with VPNs is vastly more secure than networking without them. With that said, there's no part of the enterprise IT infrastructure that qualifies as "set it and forget it," and VPNs are not exceptions to this rule.

The dangers represented in this article fall into two broad categories; first are the vulnerabilities that are "designed in," featuring problems with the logic, installation, or basic features of the VPN's client or server.

Vulnerabilities in the second group are "classic" vulnerabilities — inadvertent errors in the code running on one side or other of the VPN, an issue with how a protocol is implemented, or something similar.

A number of the vulnerabilities listed in this article have been patched in recent versions of the software, illustrating once again the importance of keeping software updated and fully patched. More than that, the vulnerabilities listed here are a reminder that cybersecurity means looking at every piece of the IT infrastructure, whether it's provided by the business or brought in by the employee. That goes for services as much as for products, and for security services as much as personal productivity applications.

(Image: Bits and Splits via Adobe Stock)

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Poll Results: Maybe Not Burned Out, but Definitely 'Well Done'."

 

Curtis Franklin Jr. is Senior Analyst at Omdia, focusing on enterprise security management. Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications ... View Full Bio

Previous
1 of 8
Next
Comment  | 
Print  | 
More Insights
//Comments
Newest First  |  Oldest First  |  Threaded View
rnolan
rnolan,
User Rank: Apprentice
9/30/2019 | 11:52:04 PM
Re: VPN Risks
I'm a bit bemused why most of these services are called VPNs when they are fundamentally just anonymising services (proxys).  A VPN (used to mean) point to "end" point (end to end encryption).  I supose you could call the eco system on the user side of the proxy a private logical network providing some protection from public WiFi etc.  More worrying is the claims made by companies like Nord that using their service protects your data/privacy etc.  It doesn't offer any protection from the proxy to where you are surfing other than hiding your IP address. Obviously if the site you are accessing is a HTTPS/TLS site this will afford some protection but the "VPN" service advertised doesn't.  Moreover, these services provide a perfect man in the middle opportunity and, depending where they are located (i.e. anywhere in the cloud) no regulatory/legal oversight or protection.
repogos
repogos,
User Rank: Apprentice
9/23/2019 | 6:05:28 AM
with all
does with happen with every vpn and for paid one?
Moral_Monster
Moral_Monster,
User Rank: Apprentice
9/22/2019 | 6:47:18 AM
VPN Risks

In most cases I tend to think that the problem is that loose nut behind the keyboard, But each of these are problems that land right in the lap of IT. But is there a site that will give you the straight poop on the different VPN Providers? Until you develop a relationship with your provider the sales weasels will be quick to tell you "Sure we do. Everything is fine.".

Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-2867
PUBLISHED: 2022-08-17
libtiff's tiffcrop utility has a uint32_t underflow that can lead to out of bounds read and write. An attacker who supplies a crafted file to tiffcrop (likely via tricking a user to run tiffcrop on it with certain parameters) could cause a crash or in some cases, further exploitation.
CVE-2022-2868
PUBLISHED: 2022-08-17
libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop.
CVE-2022-2869
PUBLISHED: 2022-08-17
libtiff's tiffcrop tool has a uint32_t underflow which leads to out of bounds read and write in the extractContigSamples8bits routine. An attacker who supplies a crafted file to tiffcrop could trigger this flaw, most likely by tricking a user into opening the crafted file with tiffcrop. Triggering t...
CVE-2022-28751
PUBLISHED: 2022-08-17
The Zoom Client for Meetings for MacOS (Standard and for IT Admin) before version 5.11.3 contains a vulnerability in the package signature validation during the update process. A local low-privileged user could exploit this vulnerability to escalate their privileges to root.
CVE-2022-28752
PUBLISHED: 2022-08-17
Zoom Rooms for Conference Rooms for Windows versions before 5.11.0 are susceptible to a Local Privilege Escalation vulnerability. A local low-privileged malicious user could exploit this vulnerability to escalate their privileges to the SYSTEM user.