Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

VPN Vulnerabilities Point Out Need for Comprehensive Remote Security

VPNs are the primary tool for securing remote access, but recently disclosed vulnerabilities point out the weakness of relying on them as the only tool.

"Encryption Everywhere" has become one of the rallying cries of enterprise security in the waning days of this millennium's second decade. But when one of the foundation technologies of enterprise encryption is broken, the repercussions can spread far beyond the security team to cover everything the systems are supposed to protect.

That's why the recent DHS CISA notice of vulnerabilities in four VPN applications is worrying and the details of the vulnerability particulars are so eye-opening. As it turns out, the vulnerabilities aren't really in the basic encryption engines at work in the VPNs — they're in the way the information on whether a particular session has been authenticated is stored and protected.

So what does it mean when an instrument of security is insecurely implemented? And aside from the obvious solution of patching the vulnerabilities (in Cisco, Palo Alto Networks, F5 Networks, and Pulse Secure products) as quickly as the patches become available, what is a security team to do?

"If we've made any collective mistakes in our use of VPNs, they're around treating VPNs like infallible silver bullets," says Amy Herzog, field CSO at Pivotal. "As with the firewalls of a couple of decades ago, VPNs are just one part of a company's security posture. CISOs and CSOs should ensure their VPN use is as secure as possible, but they should also ensure their VPN fits into a larger system of security capabilities that's resilient to disruption."

It's that feeling of VPN invincibility that experts warn against. "What [VPN] users don't know is that VPNs are also prone to attacks and malware because bad actors know they are being used to convey sensitive information," says Usman Rahim, digital security and operations manager for The Media Trust. "If bad actors are able to exploit vulnerabilities, they will be able to access, steal, and misuse VPN logging data."

The Bad VPN?
As the security industry has seen with Amazon S3 buckets, problems explode when possibly secure products and services are implemented in a horribly insecure fashion.

"Unless businesses created multiple VPN profiles that restrict access to individual network resources, a VPN connection can allow carte blanche access to every network resource that would normally be available to users on the physical network," says Justin Jett, director of audit and compliance at Plixer. "This means that hackers connecting over the VPN will be just as effective at stealing network resources on the VPN as they would be if they had physical access to the network."

In the case of these vulnerabilities, it's as if the system developers built a nice, strong door, then left the key under the big rock directly under the doorbell. It's possible, some experts say, that the developers lost sight of the "key" importance because they exist as Web cookies rather than authentication certificates.

"As a developer, it's easy to overlook that a cookie needs the same protections as a password because their format is already hashed or encrypted, but this is a common misnomer. Once someone has your cookie, they can just replay it and assume your Web identity," explains Jason Haddix, vice president of researcher growth at Bugcrowd. He says it's critical that those cookies be handled in the same secure manner used for authentication keys and certificates.

The problem is, "any exploit based on extracting keys or cookies and transferring them to another machine means that the VPN implementation on the gateway side does lack some additional countermeasures that I believe should have been implemented," says Etay Bogner, co-founder and CEO of Meta Networks. But which countermeasures or additional security measures should the victims have put into place?

Beyond the VPN
Software-defined perimeter (SDP) systems have begun to appear in the market, and some say they offer the possibility of security beyond the limitations and vulnerabilities of VPNs. They may be part of the solution set that meets the requirements of the Tursted Internet Connection (TIC) 3.0 initiative of the Office of the Federal CIO.

"Solutions such as Zero Trust Networking through a software-defined perimeter will make a strong use case and promote how TIC 3.0 gives agencies greater flexibility and the ability to move quicker," ZScaler's Kovac says. "The SDP approach is to implement cloud-based access services to route traffic directly to the cloud. Using three core components — the application, the broker, and the connector — this method enables a 'trust-to-trust' approach, meaning a specific trusted user is connected to a specific trusted environment."

This approach reduces risk by giving users specific access to specific applications, he said.

Added Bogner: "The unique capability of SDPs is that they redefine the perimeter as a solution that follows the user device wherever it is, rather than an office or data center."

Better VPN Security Today
Technologies such as SDPs may be the solution for the future, but what can a security team do today to make sure its VPN is a security tool, rather than a vulnerability?

"System administrators have an important role to contribute to defense in-depth by using appropriate controls in the VPN configuration," says Fausto Oliveira, principal security architect at Acceptto. "It is not enough to trust on the security of the endpoint. My advice is to use defense-in-depth to help keep your information secure and continue to raise the level of effort required for an attacker to be able to exploit this type of vulnerability."

Jett agrees, and goes further. "VPNs are a great resource, but reviewing VPN policies is critical to making them function correctly and with security as a first priority," he says. "Finally, VPNs should not be the last stop in the security equation. After a user has authenticated via the VPN, additional safeguards should be in place to prevent access to resources."

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3622
PUBLISHED: 2020-01-22
A Cross-Site Scripting (XSS) vulnerability exists in the admin login screen in Phorum before 5.2.18.
CVE-2020-5221
PUBLISHED: 2020-01-22
In uftpd before 2.11, it is possible for an unauthenticated user to perform a directory traversal attack using multiple different FTP commands and read and write to arbitrary locations on the filesystem due to the lack of a well-written chroot jail in compose_abspath(). This has been fixed in versio...
CVE-2019-19834
PUBLISHED: 2020-01-22
Directory Traversal in ruckus_cli2 in Ruckus Wireless Unleashed through 200.7.10.102.64 allows a remote attacker to jailbreak the CLI via enable->debug->script->exec with ../../../bin/sh as the parameter.
CVE-2019-19836
PUBLISHED: 2020-01-22
AjaxRestrictedCmdStat in zap in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote code execution via a POST request that uses tools/_rcmdstat.jsp to write to a specified filename.
CVE-2019-19843
PUBLISHED: 2020-01-22
Incorrect access control in the web interface in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote credential fetch via an unauthenticated HTTP request involving a symlink with /tmp and web/user/wps_tool_cache.