August 12, 2019//Tony HowlettLast Updated: November 19, 2020
Researchers at DEF CON demonstrate the most “vulnerable part of your network” could be your SSL VPN.
Last Friday at the annual DEF CON and Blackhat security conferences, Taiwanese security researchers Orange Tsai and Meh Chang revealed two new flaws in major vendor’s SSL VPN products. They showed how they could use overflow vulnerabilities in both Pulse Secure and Fortinet SSL VPNs to gain remote code execution ability; the holy grail of hackers. Once they had this ability they were able to establish a “magic backdoor” into the network to use at their leisure. These are major corporate remote access platforms, with Pulse Secure having over 50,000 SSL VPN servers and Fortinet having over 480,000. This is on top of their recent exploit of Palo Alto Networks SSL VPN, which means over half of the Fortune 1000 could be exposed to this exploit via their VPNs.
SSL VPNs are typically implemented via a web browser which makes it easy to deploy and support. However, it does mean that a web server interface has to be exposed to allow users to authenticate and gain access. And this presents a very visible attack surface for external bad actors (or security researchers) to exploit, which this team demonstrated ably. The details of their talk were quite technical and the full deck can be found here.
But the point is that the number of holes and known exploits of VPN technology has continued to grow every year. This vector has become one of the most used by hackers for initial entry into a network. Cisco, both the industry leader in VPNs and in exploitable bugs alone, has 159 critical exploited listed in the CVE database, while other major well-known vendors have dozens. Much like the password is becoming obsolete, maybe we need to see the sunset of the VPN technology, at least as it is typically implemented with loose controls and broad-spectrum network access.
A simple VPN can no longer be counted on to provide the whole security package for a remote access solution. All VPN administrators should be using segmentation and VLANs to cordon off the more sensitive areas of their networks from the prying eyes of illegitimate VPN users. They should also layer on additional protections for privileged accounts using Privileged Access Management (PAM) for internal users and Vendor Privileged Access Management (VPAM) for third-party. Only by practicing defense-in-depth and leveraging new, custom-built technologies, can you confident in using VPNs these days.