How to identify and eliminate VPN vulnerabilities
Introduction
In April 2019, the United States’ CERT Coordination Center released information about vulnerabilities affecting various Virtual Private Network (VPN) applications. These applications provide access to VPNs — networks that exist over a public network while, at the same time, have some of the properties of a private network. VPN networks often provide their users with cryptographic encryption, traffic and session authentication and a separation of a private IP realm from a public IP realm.
The purpose of this article is to discuss the VPN vulnerabilities found by the U.S. CERT Coordination Center and provide recommendations to system administrators on how they can identify and eliminate such vulnerabilities.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
An overview of the VPN vulnerabilities found by the CERT Coordination Center
The CERT Coordination Center divides the identified VPN vulnerabilities into two categories: vulnerabilities related to insecurely storing cookies in log files and vulnerabilities related to insecurely storing cookies in memory.
Certain versions of the software GlobalProtect Agent include both types of vulnerabilities. According to the CERT Coordination Center, those versions “may allow an attacker to access authentication and/or session tokens and replay them to spoof the VPN session and gain access as the user.” (Source.) Certain versions of the software Pulse Secure Pulse Desktop Client and Network Connect also include both types of vulnerabilities. Those versions allow attackers to access session tokens to replay and spoof sessions, thus gaining unauthorized access as end users.
The vulnerabilities mentioned above clearly indicate that VPN are not bulletproof security solutions. Dark Reading quoted Amy Herzog, field CSO at Pivotal on the subject: “As with the firewalls of a couple of decades ago, VPNs are just one part of a company's security posture. CISOs and CSOs should ensure their VPN use is as secure as possible, but they should also ensure their VPN fits into a larger system of security capabilities that's resilient to disruption.”
The CERT Coordination Center warned that the vulnerabilities identified above may be found in other VPN applications and requested persons who believe that their organization is vulnerable to contact the Center. The Center also published a list of 237 security vendors that were notified about the identified vulnerabilities, as well as information about whether those vendors were affected by the vulnerabilities.
How to identify and eliminate VPN vulnerabilities
The companies that developed GlobalProtect Agent and Pulse Secure Pulse Desktop Client recommended the use of newer versions of their applications that do not contain the abovementioned vulnerabilities.
Organizations willing to identify VPN vulnerabilities need to use tools that periodically test their VPN systems for configuration issues, missing patches, known exploits and other security issues. Furthermore, such organizations need to develop comprehensive VPN policies that specify the tools that will be used for testing VPN systems as well as the frequency of the tests.
VPN policies are also known as remote access policies and constitute a part of the general security policy of an organization. A VPN policy needs to specify the persons responsible for testing the VPN for vulnerabilities, as well as the sanctions for not performing the required tests in time. Many VPN policies specify the applicable sanctions in a section called “disciplinary action up to and including termination.”
VPN policies need also to include incident response clauses obliging members of the security staff to inform the entire organization about the identified vulnerabilities and the measures they can take to minimize the risk of a cyberattack until the vulnerabilities are addressed.
Once an organization identifies VPN vulnerabilities, it needs to eliminate them as soon as possible in order to prevent attackers from using them for malicious purposes. Even if the tools employed by the organization classify vulnerabilities in accordance with their potential impact, it is preferable to address all identified vulnerabilities at the same time, without prioritizing. This is because low-impact vulnerabilities may often be used by attackers to identify high-impact vulnerabilities.
The elimination of VPN vulnerabilities may include the installation of patches that fix bugs, address security issues, or adding additional functionalities. Those patches can be tested on a development VPN. If an organization lacks a development VPN, it can test the implementation of the functionalities directly on its regular VPN. Organizations need to ensure that their security vendors provide them with prompt notices about newly-released security patches and clear instructions on how to install those patches.
Conclusion
This article has shown that VPN are susceptible to cyberattacks, and that organizations need to take adequate measures to identify and eliminate VPN vulnerabilities. Those measures need to be specified in comprehensive VPN policies and strictly enforced. Cooperation with vendors of VPN solutions is of vital importance for the timely elimination of VPN vulnerabilities.
In the future, VPNs may be replaced by software-defined perimeter (SDP) systems which gain more and more market share in the security industry. Such systems, also known as “Black Cloud,” are based on a need-to-know model in which device identity and posture are verified prior to granting access to an application infrastructure. Thus, the application infrastructure does not include visible DNS information or IP addresses.
The creators of SDP systems claim that their systems mitigate various network-based attacks, including but not limited to SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), man-in-the-middle and pass-the-hash.
Sources
- CVE-2019-1573 Detail, National Vulnerability Database
- VPN Vulnerabilities Point Out Need for Comprehensive Remote Security, Dark Reading
- VPN applications insecurely store session cookies, Software Engineering Institute
- Can VPNs Really Be Trusted?, The State of Security
- Vulnerability in Multiple VPN Applications, CISA
- EC-Council, “Network Defense: Security and Vulnerability Assessment,” Cengage Learning, 2012
- Shea, R., “L2TP: Implementation and Operation,” Addison-Wesley Professional, 2000
- Steward, M., “Network Security, Firewalls, and VPNs,” Jones & Bartlett Publishers, September 2010
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
Co-Author
Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She holds an advanced Master’s degree in IP & ICT Law. Her particular interests include data protection, cybercrime law, and legal aspects of e-commerce business.
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- How to identify and eliminate VPN vulnerabilities
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness