Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

VPN Vulnerabilities Point Out Need for Comprehensive Remote Security

VPNs are the primary tool for securing remote access, but recently disclosed vulnerabilities point out the weakness of relying on them as the only tool.

"Encryption Everywhere" has become one of the rallying cries of enterprise security in the waning days of this millennium's second decade. But when one of the foundation technologies of enterprise encryption is broken, the repercussions can spread far beyond the security team to cover everything the systems are supposed to protect.

That's why the recent DHS CISA notice of vulnerabilities in four VPN applications is worrying and the details of the vulnerability particulars are so eye-opening. As it turns out, the vulnerabilities aren't really in the basic encryption engines at work in the VPNs — they're in the way the information on whether a particular session has been authenticated is stored and protected.

So what does it mean when an instrument of security is insecurely implemented? And aside from the obvious solution of patching the vulnerabilities (in Cisco, Palo Alto Networks, F5 Networks, and Pulse Secure products) as quickly as the patches become available, what is a security team to do?

"If we've made any collective mistakes in our use of VPNs, they're around treating VPNs like infallible silver bullets," says Amy Herzog, field CSO at Pivotal. "As with the firewalls of a couple of decades ago, VPNs are just one part of a company's security posture. CISOs and CSOs should ensure their VPN use is as secure as possible, but they should also ensure their VPN fits into a larger system of security capabilities that's resilient to disruption."

It's that feeling of VPN invincibility that experts warn against. "What [VPN] users don't know is that VPNs are also prone to attacks and malware because bad actors know they are being used to convey sensitive information," says Usman Rahim, digital security and operations manager for The Media Trust. "If bad actors are able to exploit vulnerabilities, they will be able to access, steal, and misuse VPN logging data."

The Bad VPN?
As the security industry has seen with Amazon S3 buckets, problems explode when possibly secure products and services are implemented in a horribly insecure fashion.

"Unless businesses created multiple VPN profiles that restrict access to individual network resources, a VPN connection can allow carte blanche access to every network resource that would normally be available to users on the physical network," says Justin Jett, director of audit and compliance at Plixer. "This means that hackers connecting over the VPN will be just as effective at stealing network resources on the VPN as they would be if they had physical access to the network."

In the case of these vulnerabilities, it's as if the system developers built a nice, strong door, then left the key under the big rock directly under the doorbell. It's possible, some experts say, that the developers lost sight of the "key" importance because they exist as Web cookies rather than authentication certificates.

"As a developer, it's easy to overlook that a cookie needs the same protections as a password because their format is already hashed or encrypted, but this is a common misnomer. Once someone has your cookie, they can just replay it and assume your Web identity," explains Jason Haddix, vice president of researcher growth at Bugcrowd. He says it's critical that those cookies be handled in the same secure manner used for authentication keys and certificates.

The problem is, "any exploit based on extracting keys or cookies and transferring them to another machine means that the VPN implementation on the gateway side does lack some additional countermeasures that I believe should have been implemented," says Etay Bogner, co-founder and CEO of Meta Networks. But which countermeasures or additional security measures should the victims have put into place?

Beyond the VPN
Software-defined perimeter (SDP) systems have begun to appear in the market, and some say they offer the possibility of security beyond the limitations and vulnerabilities of VPNs. They may be part of the solution set that meets the requirements of the Tursted Internet Connection (TIC) 3.0 initiative of the Office of the Federal CIO.

"Solutions such as Zero Trust Networking through a software-defined perimeter will make a strong use case and promote how TIC 3.0 gives agencies greater flexibility and the ability to move quicker," ZScaler's Kovac says. "The SDP approach is to implement cloud-based access services to route traffic directly to the cloud. Using three core components — the application, the broker, and the connector — this method enables a 'trust-to-trust' approach, meaning a specific trusted user is connected to a specific trusted environment."

This approach reduces risk by giving users specific access to specific applications, he said.

Added Bogner: "The unique capability of SDPs is that they redefine the perimeter as a solution that follows the user device wherever it is, rather than an office or data center."

Better VPN Security Today
Technologies such as SDPs may be the solution for the future, but what can a security team do today to make sure its VPN is a security tool, rather than a vulnerability?

"System administrators have an important role to contribute to defense in-depth by using appropriate controls in the VPN configuration," says Fausto Oliveira, principal security architect at Acceptto. "It is not enough to trust on the security of the endpoint. My advice is to use defense-in-depth to help keep your information secure and continue to raise the level of effort required for an attacker to be able to exploit this type of vulnerability."

Jett agrees, and goes further. "VPNs are a great resource, but reviewing VPN policies is critical to making them function correctly and with security as a first priority," he says. "Finally, VPNs should not be the last stop in the security equation. After a user has authenticated via the VPN, additional safeguards should be in place to prevent access to resources."

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16349
PUBLISHED: 2019-09-16
Bento4 1.5.1-628 has a NULL pointer dereference in AP4_ByteStream::ReadUI32 in Core/Ap4ByteStream.cpp when called from the AP4_TrunAtom class.
CVE-2019-16350
PUBLISHED: 2019-09-16
ffjpeg before 2019-08-18 has a NULL pointer dereference in idct2d8x8() at dct.c.
CVE-2019-16351
PUBLISHED: 2019-09-16
ffjpeg before 2019-08-18 has a NULL pointer dereference in huffman_decode_step() at huffman.c.
CVE-2019-16352
PUBLISHED: 2019-09-16
ffjpeg before 2019-08-21 has a heap-based buffer overflow in jfif_load() at jfif.c.
CVE-2016-10967
PUBLISHED: 2019-09-16
The real3d-flipbook-lite plugin 1.0 for WordPress has XSS via the wp-content/plugins/real3d-flipbook/includes/flipbooks.php bookId parameter.