The Coronavirus pandemic has drastically changed our reality in a blink of an eye. With WFH and social distancing becoming the new norm. While these measures are key to reducing the risk of contracting COVID-19, from a security standpoint working from home introduces other risks.
In order for teams to continue working and remain connected from home while staying protected against cyberattacks, VPN (Virtual Private Networks) have been leveraged widely. These secure the connection between a local device and the company’s private network, ensuring safe, secure access to their information.
However, while VPNs can be a great tool for secure remote work, many VPN solutions come along with known vulnerabilities that can in fact be exploited. Should a cybercriminal exploit a VPN vulnerability, sensitive, privileged data might be intercepted, and an attacker could even take control of the affected system.
We are witnessing a rise in attackers hunting to exploit these vulnerabilities in VPNs, and the new WFH reality that’s heavily reliant on VPNs results in many new targets.
The rise of workers relying on VPNs due to Coronavirus, combined with the risks related to VPNs has led the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) to issue an alert to companies, asking them to bolster VPN security and adopt best practices to protect against exploits.
What should you do?
First of all, in order to mitigate the risk from enterprise VPNs, the the best practices listed below should be followed. Additionally, in January of this year, we published a blog post on most critical RCE vulnerabilities in enterprises VPN’s and a guide on how to best remediate them.
If you haven’t patched the following vulnerabilities yet, we urge you to do so. We are currently seeing a rise in sources reporting that these vulnerabilities being exploited in the wild.
Suggested Remediation Measures for the critical RCE Vulnerabilities:
1. Pulse Connect Secure
- CVE-2019-11510 – pre-auth arbitrary file reading: An unauthenticated remote attacker can craft and send a Uniform Resource Identifier (URI) to read files. This vulnerability affects Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
POC:
| CVE-2019-11510 | Exploit Database | Pulse Connect Secure |
| CVE-2019-11510 | GitHub: CVE-2019-11510-poc | Pulse Connect Secure |
- CVE-2019-11539 – post-auth command injection: The admin web interface allows an authenticated attacker to inject and execute commands. This vulnerability affects Pulse Secure PCS version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1.
How to Remediate
If you are using Pulse Secure products for VPN, patch immediately with the linked solution to mitigate these 2 vulnerabilities (and 8 more).
2. Fortinet FortiOS
- CVE-2018-13379 – pre-auth arbitrary file reading: A path traversal vulnerability under SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests. This vulnerability affects Fortinet FortiOS 6.0.0 to 6.0.4 and 5.6.3 to 5.6.7.
POC:
| CVE-2018-13379 | GitHub: CVE-2018-13379 | FortiGate SSL VPN |
| CVE-2018-13379 | Exploit Database | FortiGate SSL VPN |
- CVE-2018-13382 – this vulnerability allows an unauthenticated attacker to change the password of an SSL VPN web portal user via specially crafted HTTP requests. This vulnerability affects Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8, and 5.4.1 to 5.4.10.
- CVE-2018-13383 – post-auth heap overflow: This allows an attacker to gain a shell running on the router. A heap buffer overflow in the SSL VPN web portal can terminate SSL VPN web service for logged-in users due to a failure to properly handle Javascript href data when proxying web pages. Affects all Fortinet FortiOS versions below 6.0.5.
POC:
| CVE-2018-13379, CVE-2018-13383 | Blog from Meh Chang and Orange Tsai | FortiGate SSL VPN |
How to Remediate:
To mitigate the risk, apply the patches from the Fortinet advisory to your Fortiner products:
| Fortinet Advisory | Affected Versions | Patch Date |
| CVE-2018-13379 (FG-IR-18-384) | FortiOS 6.0.0 – 6.0.4 FortiOS 5.6.3 – 5.6.7 | 5/24/19 |
| CVE-2018-13380 (FG-IR-18-383) | FortiOS 6.0.0 – 6.0.4 FortiOS 5.6.0 – 5.6.7 FortiOS <= 5.4 | 5/24/19
|
| CVE-2018-13381 (FG-IR-18-387) | FortiOS 6.0.0 – 6.0.4 FortiOS 5.6.0 – 5.6.7 FortiOS <= 5.4 | 5/24/19
|
| CVE-2018-13382 (FG-IR-18-389) | FortiOS 6.0.0 – 6.0.4* FortiOS 5.6.0 – 5.6.8* FortiOS 5.4.1 – 5.4.10* | 5/24/19
|
| CVE-2018-13383 (FG-IR-18-388) | FortiOS 6.0.0 – 6.0.4 FortiOS <= 5.6.10 | 4/2/19 |
* Vulnerable only when SSL VPN service is enabled.
3. Palo Alto GlobalProtect Portal
- CVE-2019-1579 – RCE might allow an unauthenticated remote attacker to execute arbitrary code. This vulnerability affects PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier with GlobalProtect Portal or GlobalProtect Gateway Interface enabled.
POC: https://github.com/securifera/CVE-2019-1579/blob/master/CVE-2019-1579_8.0.7_mips.py
How to Remediate:
Upgrade the product to non-vulnerable versions “Affected version Fixed version PAN-OS 7.1.18 and earlier PAN-OS 7.1.19 and later PAN-OS 8.0.11 and earlier PAN-OS 8.0.12 and later PAN-OS 8.1.2 and earlier PAN-OS 8.1.3 and later. This vulnerability does not impact PAN-OS 9.0.
Vendor advisory: https://securityadvisories.paloaltonetworks.com/Home/Detail/158
Mitigating Risk from Enterprise VPNs due the COVID-19 Outbreak
In order to mitigate risk from enterprise VPN, the following best-practices should be followed:
- Implement Execution Prevention
- Implement Execution Prevention
- Implement and ensure robust Network Segmentation between IT and OT networks to limit the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone (DMZ) that eliminates unregulated communication between the IT and OT networks.
- Review the VPN log files for evidence of compromised accounts in active use.
- Look for connections in odd times and other unusual events that may require further investigation.
- Ensure that you can patch and maintain the remote access.
- Add multi-factor authentication (MFA) when using VPN.
- Review the end-user license agreements and examine the reviews before purchasing a VPN solution. Ask around to trusted forums for advice and guidance on VPN solutions.
- Make sure you can update and service the application even on remote locations.
- Provide guidance and education to users on how to properly use VPN.
- Enable strong spam filters to prevent phishing emails from reaching end users.
- Limit Access to Resources over Network, especially by restricting Remote Desktop Protocol (RDP).
To learn more about mitigating risks from your VPNs, speak with one of our experts
