In April 2019, the United States’ CERT Coordination Center released information about vulnerabilities affecting various Virtual Private Network (VPN) applications. These applications provide access to VPNs — networks that exist over a public network while, at the same time, have some of the properties of a private network. VPN networks often provide their users with cryptographic encryption, traffic and session authentication and a separation of a private IP realm from a public IP realm.
The purpose of this article is to discuss the VPN vulnerabilities found by the U.S. CERT Coordination Center and provide recommendations to system administrators on how they can identify and eliminate such vulnerabilities.
An overview of the VPN vulnerabilities found by the CERT Coordination Center
The CERT Coordination Center divides the identified VPN vulnerabilities into two categories: vulnerabilities related to insecurely storing cookies in log files and vulnerabilities related to insecurely storing cookies in memory.
Certain versions of the software GlobalProtect Agent include both types of vulnerabilities. According to the CERT Coordination Center, those versions “may allow an attacker to access authentication and/or session tokens and replay them to spoof the VPN session and gain access as the user.” (Source.) Certain versions of the software Pulse Secure Pulse Desktop Client and Network Connect also include both types of vulnerabilities. Those versions allow attackers to access session tokens to replay and spoof sessions, thus gaining unauthorized access as end users.
The vulnerabilities mentioned above clearly indicate that VPN are not bulletproof security solutions. Dark Reading quoted Amy Herzog, field CSO at Pivotal on the subject: “As with the firewalls of a couple of decades ago, VPNs are just one part of a company’s security posture. CISOs and CSOs should ensure their VPN use is as secure as possible, but they should also ensure their VPN fits into a larger system of security capabilities that’s resilient to disruption.”
The CERT Coordination Center warned that the vulnerabilities identified above may be found in other VPN applications and requested persons who believe that their organization is vulnerable to contact the Center. The Center also published a list of 237 security vendors that were notified about the identified vulnerabilities, as well as information about whether those vendors were affected by the vulnerabilities.
How to identify and eliminate VPN vulnerabilities
The companies that developed GlobalProtect Agent and Pulse Secure Pulse Desktop Client recommended the use of newer versions of their applications that do not contain the abovementioned vulnerabilities.
Organizations willing to identify VPN vulnerabilities need to use tools that periodically test their VPN systems for configuration issues, missing patches, known exploits and other security issues. Furthermore, such organizations need to develop comprehensive VPN policies that specify the tools that will be used for testing VPN systems as well as the frequency of the tests.
VPN policies are also known as remote access policies and constitute a part of the general security policy of an organization. A VPN policy needs to specify the persons responsible for testing the VPN for vulnerabilities, as well as the sanctions for not performing the required tests in time. Many VPN policies specify the applicable sanctions in a section called “disciplinary action up to and including termination.”
VPN policies need also to include incident response clauses obliging members of the security staff to inform the entire organization about the identified vulnerabilities and the measures they can take to minimize the risk of a cyberattack until the vulnerabilities are addressed.
Once an organization identifies VPN vulnerabilities, it needs to eliminate them as soon as possible in order to prevent attackers from using them for malicious purposes. Even if the tools employed by the organization classify vulnerabilities in accordance with their potential impact, it is preferable to address all identified vulnerabilities at the same time, without prioritizing. This is because low-impact vulnerabilities may often be used by attackers to identify high-impact vulnerabilities.
The elimination of VPN vulnerabilities may include the installation of patches that fix bugs, address security issues, or adding additional functionalities. Those patches can be tested on a development VPN. If an organization lacks a development VPN, it can test the implementation of the functionalities directly on its regular VPN. Organizations need to ensure that their security vendors provide them with prompt notices about newly-released security patches and clear instructions on how to install those patches.
This article has shown that VPN are susceptible to cyberattacks, and that organizations need to take adequate measures to identify and eliminate VPN vulnerabilities. Those measures need to be specified in comprehensive VPN policies and strictly enforced. Cooperation with vendors of VPN solutions is of vital importance for the timely elimination of VPN vulnerabilities.
In the future, VPNs may be replaced by software-defined perimeter (SDP) systems which gain more and more market share in the security industry. Such systems, also known as “Black Cloud,” are based on a need-to-know model in which device identity and posture are verified prior to granting access to an application infrastructure. Thus, the application infrastructure does not include visible DNS information or IP addresses.
The creators of SDP systems claim that their systems mitigate various network-based attacks, including but not limited to SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), man-in-the-middle and pass-the-hash.
- CVE-2019-1573 Detail, National Vulnerability Database
- VPN Vulnerabilities Point Out Need for Comprehensive Remote Security, Dark Reading
- VPN applications insecurely store session cookies, Software Engineering Institute
- Can VPNs Really Be Trusted?, The State of Security
- Vulnerability in Multiple VPN Applications, CISA
- EC-Council, “Network Defense: Security and Vulnerability Assessment,” Cengage Learning, 2012
- Shea, R., “L2TP: Implementation and Operation,” Addison-Wesley Professional, 2000
- Steward, M., “Network Security, Firewalls, and VPNs,” Jones & Bartlett Publishers, September 2010
Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She holds an advanced Master’s degree in IP & ICT Law. Her particular interests include data protection, cybercrime law, and legal aspects of e-commerce business.