Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

VPN Vulnerabilities Point Out Need for Comprehensive Remote Security

VPNs are the primary tool for securing remote access, but recently disclosed vulnerabilities point out the weakness of relying on them as the only tool.

"Encryption Everywhere" has become one of the rallying cries of enterprise security in the waning days of this millennium's second decade. But when one of the foundation technologies of enterprise encryption is broken, the repercussions can spread far beyond the security team to cover everything the systems are supposed to protect.

That's why the recent DHS CISA notice of vulnerabilities in four VPN applications is worrying and the details of the vulnerability particulars are so eye-opening. As it turns out, the vulnerabilities aren't really in the basic encryption engines at work in the VPNs — they're in the way the information on whether a particular session has been authenticated is stored and protected.

So what does it mean when an instrument of security is insecurely implemented? And aside from the obvious solution of patching the vulnerabilities (in Cisco, Palo Alto Networks, F5 Networks, and Pulse Secure products) as quickly as the patches become available, what is a security team to do?

"If we've made any collective mistakes in our use of VPNs, they're around treating VPNs like infallible silver bullets," says Amy Herzog, field CSO at Pivotal. "As with the firewalls of a couple of decades ago, VPNs are just one part of a company's security posture. CISOs and CSOs should ensure their VPN use is as secure as possible, but they should also ensure their VPN fits into a larger system of security capabilities that's resilient to disruption."

It's that feeling of VPN invincibility that experts warn against. "What [VPN] users don't know is that VPNs are also prone to attacks and malware because bad actors know they are being used to convey sensitive information," says Usman Rahim, digital security and operations manager for The Media Trust. "If bad actors are able to exploit vulnerabilities, they will be able to access, steal, and misuse VPN logging data."

The Bad VPN?
As the security industry has seen with Amazon S3 buckets, problems explode when possibly secure products and services are implemented in a horribly insecure fashion.

"Unless businesses created multiple VPN profiles that restrict access to individual network resources, a VPN connection can allow carte blanche access to every network resource that would normally be available to users on the physical network," says Justin Jett, director of audit and compliance at Plixer. "This means that hackers connecting over the VPN will be just as effective at stealing network resources on the VPN as they would be if they had physical access to the network."

In the case of these vulnerabilities, it's as if the system developers built a nice, strong door, then left the key under the big rock directly under the doorbell. It's possible, some experts say, that the developers lost sight of the "key" importance because they exist as Web cookies rather than authentication certificates.

"As a developer, it's easy to overlook that a cookie needs the same protections as a password because their format is already hashed or encrypted, but this is a common misnomer. Once someone has your cookie, they can just replay it and assume your Web identity," explains Jason Haddix, vice president of researcher growth at Bugcrowd. He says it's critical that those cookies be handled in the same secure manner used for authentication keys and certificates.

The problem is, "any exploit based on extracting keys or cookies and transferring them to another machine means that the VPN implementation on the gateway side does lack some additional countermeasures that I believe should have been implemented," says Etay Bogner, co-founder and CEO of Meta Networks. But which countermeasures or additional security measures should the victims have put into place?

Beyond the VPN
Software-defined perimeter (SDP) systems have begun to appear in the market, and some say they offer the possibility of security beyond the limitations and vulnerabilities of VPNs. They may be part of the solution set that meets the requirements of the Tursted Internet Connection (TIC) 3.0 initiative of the Office of the Federal CIO.

"Solutions such as Zero Trust Networking through a software-defined perimeter will make a strong use case and promote how TIC 3.0 gives agencies greater flexibility and the ability to move quicker," ZScaler's Kovac says. "The SDP approach is to implement cloud-based access services to route traffic directly to the cloud. Using three core components — the application, the broker, and the connector — this method enables a 'trust-to-trust' approach, meaning a specific trusted user is connected to a specific trusted environment."

This approach reduces risk by giving users specific access to specific applications, he said.

Added Bogner: "The unique capability of SDPs is that they redefine the perimeter as a solution that follows the user device wherever it is, rather than an office or data center."

Better VPN Security Today
Technologies such as SDPs may be the solution for the future, but what can a security team do today to make sure its VPN is a security tool, rather than a vulnerability?

"System administrators have an important role to contribute to defense in-depth by using appropriate controls in the VPN configuration," says Fausto Oliveira, principal security architect at Acceptto. "It is not enough to trust on the security of the endpoint. My advice is to use defense-in-depth to help keep your information secure and continue to raise the level of effort required for an attacker to be able to exploit this type of vulnerability."

Jett agrees, and goes further. "VPNs are a great resource, but reviewing VPN policies is critical to making them function correctly and with security as a first priority," he says. "Finally, VPNs should not be the last stop in the security equation. After a user has authenticated via the VPN, additional safeguards should be in place to prevent access to resources."

Related Content:




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.