Is Your Enterprise VPN Secure?

Is Your Enterprise VPN Secure?


Share on linkedin
Share on facebook
Share on twitter

In these days of uncertainty, while many, if not most of us are at home trying to balance working remotely and family life, DevOps, IT & security teams are doubling down on their efforts to provide the technical support needed to ensure business continuity. The task at hand presents a unique challenge that for many organizations is uncharted. 

One of the topics that is currently on every IT team’s to-do list is ensuring VPNs are running smoothly and connectivity is scaled up to match the heightened traffic and access requests.  Enterprise VPNs are important as they allow users a secure remote connection into the organization’s internal network thus extending the private network across a public one. In essence, VPNs protect corporate assets and sensitive data from internet exposure, making sure that anyone intercepting the encrypted data will not be able to read it.

VPNs are and should be exposed to the internet, but what happens if they themselves become vulnerable? 

If a VPN server is compromised, attackers can easily infiltrate a company’s intranet and carry out a range of activities such as obtaining access to logs and files and executing malicious codes on the network among others. As a result, Enterprise VPN servers are lucrative targets that hackers are going after, and especially now, when so many users are depending on the ability to connect remotely in order to continue performing their work.

How easy is it to find exposed vulnerable VPNs on the internet? 

Exposed VPNs can be found with just a few clicks. Attackers use internet scanners to discover VPN servers that run on a vulnerable software version. Once detected, they leverage known vulnerabilities and off the shelf proof-of-concept codes that can be found online. Reposify’s internet scanners detected millions of VPNs servers currently exposed to the internet, of which thousands are unpatched and vulnerable.

What kind of VPN vulnerabilities exist out there?

Recently, multiple CVEs were released for several widely used VPN servers. In 2019 and 2020 there were several attacks in which these VPN vulnerabilities were exploited to infiltrate and plant backdoors in companies all over the world. These known vulnerabilities allow an attacker to login into the intranet and retrieve files , logs and cached passwords,  shut down the MFA and could allow remote code execution on the clients connecting to the compromised VPN server.

Here is a shortlist of the most recent CVE’s that were released for common VPN types:

Pulse Connect Secure:
  • CVE-2018-13379: Pre-auth arbitrary file reading
  • CVE-2018-13382: This allows an unauthenticated attacker to change the password of an SSL VPN web portal user.
  • CVE-2018-13383: Post-auth heap overflow. This allows an attacker to gain a shell running on the router.
Palo Alto Networks GlobalProtect Portal
  • CVE-2019-1579:  Unauthenticated remote attacker to execute arbitrary code.
Citrix NetScaler:Citrix NetScaler:

CVE-2019-19781: Directory Path Traversal leads to RCE

SonicWall VPN: (SonicWall SRA and SMA VPN servers)

  • CVE-2019-7481: Blind SQL injection vulnerability which can be exploited remotely.
  • CVE-2019-7482: Execute arbitrary commands with nobody’s privileges on the device.
  • CVE-2019-7483: Pre-authentication vulnerability.
How to reduce vulnerabilities in your VPNs?

The Cybersecurity and Infrastructure Security Agency (CISA) has released several mitigation steps that teams can follow in order to improve their VPNs security

  1. Ensure the latest software patches are installed on all your VPNs, network infrastructure devices, and other devices being used to remotely access work environments.  
  2. If during this review process, you discovered a VPN server that wasn’t patched immediately after the release of a CVE, it is recommended to scan your entire internal network for any signs of compromise.
  3. If you suspect a VPN server was compromised, reset your authentication credentials associated with the affected VPN and accounts connecting through it.
  4. Implement multi-factor authentication (MFA) on all VPN connections to avoid brute force attacks against the login panel. If MFA cannot be implemented, encourage employees to use strong passwords. 
  5. Ensure IT security personnel test VPN limitations to prepare for mass usage and, if possible, implement modifications—such as rate-limiting—to prioritize users that will require higher bandwidths.
  6. Prepare for the need to ramp up the following remote access security tasks: log review, attack detection, and incident response and recovery.
New call-to-action

Asaf Aprozper is a cyber security expert, blogger, thought leader and a guest speaker at international cyber research conferences. Recent speaking opps included “Code Blue” Japan and “BSides” Cyprus.


Share on linkedin
Share on facebook
Share on twitter

Ready to discover your External Attack Surface?

Read Next

Why Only EASM can provide the protection necessary to guard against RCE threat

In April, VMware issued a series of patches to guard against vulnerabilities in a number of products. Among the most critical is CVE-2022-22954, a remote code execution RCE threat that puts organizations at risk of cyber attack. Only EASM can provide thorough cybersecurity protection against remote code execution hacks, with real-time asset monitoring and identification and clear, actionable insights for immediate intervention.

Detect to protect: Reposify’s EASM flags exposed assets vulnerable to Microsoft SMB (CVE-2022-26809)

Microsoft covered more than 100 vulnerabilities in April's security update, among them patches to critical remote code execution (RCE) vulnerabilities located in Microsoft’s SMB. In response Reposify's EASM platform scanned and identified 800,000+ nodes with open SMB protocol on both patched and unpatched systems. Read our latest blog and learn how Reposify's EASM can detect unknown exposed assets vulnerable to Microsoft’s SMB.

Security teams: here’s why you should choose EASM over Shodan?

If you are using Shodan to search for your company’s assets or perform reconnaissance as part of blue or red teams routines - you need to keep reading.