In these days of uncertainty, while many, if not most of us are at home trying to balance working remotely and family life, DevOps, IT & security teams are doubling down on their efforts to provide the technical support needed to ensure business continuity. The task at hand presents a unique challenge which for many organizations is uncharted.
One of the topics that is currently on every IT team's to-do list is ensuring VPNs are running smoothly and connectivity is scaled up to match the heightened traffic and access requests. Enterprise VPNs are important as they allow users a secure remote connection into the organization’s internal network thus extending the private network across a public one. In essence, VPNs protect corporate assets and sensitive data from internet exposure, making sure that anyone intercepting the encrypted data will not be able to read it.
VPNs are and should be exposed to the internet, but what happens if they themselves become vulnerable?
If a VPN server is compromised, attackers can easily infiltrate a company’s intranet and carry out a range of activities such as obtaining access to logs and files and executing malicious codes on the network among others. As a result, Enterprise VPN servers are lucrative targets that hackers are going after, and especially now, when so many users are depending on the ability to connect remotely in order to continue performing their work.
How easy is it to find exposed vulnerable VPNs on the internet?
Exposed VPNs can be found with just a few clicks. Attackers use internet scanners to discover VPN servers that run on a vulnerable software version. Once detected, they leverage known vulnerabilities and off the shelf proof-of-concept codes that can be found online. Reposify’s internet scanners detected millions of VPNs servers currently exposed to the internet, of which thousands are unpatched and vulnerable.
What kind of VPN vulnerabilities exist out there?
Recently, multiple CVEs were released for several widely used VPN servers. In 2019 and 2020 there were several attacks in which these VPN vulnerabilities were exploited to infiltrate and plant backdoors in companies all over the world. These known vulnerabilities allow an attacker to login into the intranet and retrieve files , logs and cached passwords, shut down the MFA and could allow remote code execution on the clients connecting to the compromised VPN server.
Here is a shortlist of the most recent CVE’s that were released for common VPN types:
Pulse Connect Secure:
- CVE-2018-13379: Pre-auth arbitrary file reading
- CVE-2018-13382: Allows an unauthenticated attacker to change the password of an SSL VPN web portal user.
- CVE-2018-13383: Post-auth heap overflow. This allows an attacker to gain a shell running on the router.
Palo Alto Networks GlobalProtect Portal
- CVE-2019-1579: Unauthenticated remote attacker to execute arbitrary code.
- CVE-2019-19781: Directory Path Traversal leads to RCE
SonicWall VPN: (SonicWall SRA and SMA VPN servers)
- CVE-2019-7481: Blind SQL injection vulnerability which can be exploited remotely.
- CVE-2019-7482: Execute arbitrary commands with nobody privileges on the device.
- CVE-2019-7483: Pre-authentication vulnerability.
How to reduce exposures and vulnerabilities in your VPNs?
The Cybersecurity and Infrastructure Security Agency (CISA) has released several mitigation steps that teams can follow in order to improve their VPNs security:
- Ensure the latest software patches are installed on all your VPNs, network infrastructure devices, and other devices being used to remotely access work environments.
- If during this review process, you discovered a VPN server that wasn't patched immediately after the release of a CVE, it is recommended to scan your entire internal network for any signs of compromise.
- If you suspect a VPN server was compromised, reset your authentication credentials associated with the affected VPN and accounts connecting through it.
- Implement multi-factor authentication (MFA) on all VPN connections to avoid brute force attacks against the login panel. If MFA cannot be implemented, encourage employees to use strong passwords.
- Ensure IT security personnel test VPN limitations to prepare for mass usage and, if possible, implement modifications—such as rate limiting—to prioritize users that will require higher bandwidths.
- Prepare for the need to ramp up the following remote access security tasks: log review, attack detection, and incident response and recovery.