Top Vulnerabilities Exploited in VPNs in 2020

In several VPN products worldwide, APTs target vulnerabilities. This is an ongoing activity directed at multinational organizations. Including government, military, academic, industry, and medical care industries. The open-source is well known for these vulnerabilities, and industry data suggest that hundreds of VPNs may appear to be insecure.

How VPNs can be attacked?

Several SSL VPN products contain vulnerabilities that allow an attacker to retrieve arbitrary data like authentication files.

An intruder can connect to the VPN and change configuration settings or connect to another internal infrastructure with those stolen credentials.

Unauthorized attachment to a VPN will also provide a secondary exploit entry to a root shell for the attacker.

Such vulnerabilities and attacks allow adversaries to overwrite data, execute malicious code or commands, cause a DoS condition, and more.

How VPN vulnerabilities could be so harmful?

For a number of reasons, VPN vulnerabilities are extremely dangerous. These devices reveal access points in insecure networks and there is very little evidence of a breach in security introspection tools. Attackers may break a VPN and then spend months mapping a target network until ransomware or extorting requests are implemented.

What are the top vulnerabilities in 2020?

Many organizations today use IP Security (IPsec) Virtual Private Networks (VPNs) to connect remote locations. Critical information that passes through unknown networking is secured by cryptography. It is crucial that these VPNs use strong cryptography to protect this traffic and ensure the confidentiality of data.

Since COVID‐19 has become widespread, almost all companies dependent on a remote workforce, and enterprise-level VPNs are. Around the same time, they have been perfect opportunities for hackers finding a path in the IT networks and digital assets.

Pulse Secure

CVE-2019-11510 Pulse Connect Secure (PCS): Pre-auth arbitrary file reading

Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file access on the Pulse Connect Secure gateway. This advisory also includes a remote code execution vulnerability that can allow an authenticated administrator to perform remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways. Many of these vulnerabilities have a critical CVSS score and pose a significant risk to your deployment.

Affected products:

• Pulse Connect Secure 9.0R1 – 9.0R3.3
• Pulse Connect Secure 8.3R1 – 8.3R7
• Pulse Connect Secure 8.2R1 – 8.2R12
• Pulse Connect Secure 8.1R1 – 8.1R15
• Pulse Policy Secure 9.0R1 – 9.0R3.1
• Pulse Policy Secure 5.4R1 – 5.4R7
• Pulse Policy Secure 5.3R1 – 5.3R12
• Pulse Policy Secure 5.2R1 – 5.2R12
• Pulse Policy Secure 5.1R1 – 5.1R15

Solution: The solution for these vulnerabilities is to upgrade your Pulse Connect Secure and Pulse Policy Secure server software version to the corresponding version that has the fix.

CVE-2019-11539 Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS) : Post-auth command injection

Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file access on the Pulse Connect Secure gateway. This advisory also includes a remote code execution vulnerability that can allow an authenticated administrator to perform remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways. Many of these vulnerabilities have a critical CVSS score and pose a significant risk to your deployment.

Affected products:

• Pulse Connect Secure 9.0R1 – 9.0R3.3
• Pulse Connect Secure 8.3R1 – 8.3R7
• Pulse Connect Secure 8.2R1 – 8.2R12
• Pulse Connect Secure 8.1R1 – 8.1R15
• Pulse Policy Secure 9.0R1 – 9.0R3.1
• Pulse Policy Secure 5.4R1 – 5.4R7
• Pulse Policy Secure 5.3R1 – 5.3R12
• Pulse Policy Secure 5.2R1 – 5.2R12
• Pulse Policy Secure 5.1R1 – 5.1R15

Solution: The solution for these vulnerabilities is to upgrade your Pulse Connect Secure and Pulse Policy Secure server software version to the corresponding version that has the fix.

Fortinet

CVE-2018-13379 FortiOS: Pre-auth arbitrary file reading

A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.

Affected products:

• FortiOS 6.0 – 6.0.0 to 6.0.4
• FortiOS 5.6 – 5.6.3 to 5.6.7
• FortiOS 5.4 – 5.4.6 to 5.4.12

Solution: Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.

CVE-2018-13382 FortiOS: Unauthenticated SSL VPN users password modification

An Improper Authorization vulnerability in the SSL VPN web portal may allow an unauthenticated attacker to change the password of an SSL VPN web portal user via specially crafted HTTP requests.

Affected products:

• FortiOS 6.0.0 to 6.0.4
• FortiOS 5.6.0 to 5.6.8
• FortiOS 5.4.1 to 5.4.10

Solution: Upgrade to FortiOS 5.4.11, 5.6.9, 6.0.5, 6.2.0 or above.

CVE-2018-13383 FortiOS: SSL VPN buffer overrun when parsing javascript href content

A heap buffer overflow vulnerability in the FortiOS SSL VPN web portal may cause the SSL VPN web service termination for logged in users or potentially remote code execution on FortiOS; this happens when an authenticated user visits a specifically crafted proxy-ed webpage, and this is due to a failure to handle javascript href content properly.

Affected products:

• FortiOS 6.0.0 to 6.0.4
• FortiOS 5.6.0 to 5.6.10
• FortiOS 5.4.0 to 5.4.12
• FortiOS 5.2.0 to 5.2.14

Solution: Upgrade to FortiOS 5.2.15, 5.4.13, 5.6.11, 6.0.5 or 6.2.0 and above.

Citrix NetScaler

CVE-2019-19781: Directory Path Traversal leads to RCE

A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway is formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.

The scope of this vulnerability includes Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of Citrix Hypervisor (formerly XenServer), ESX, Hyper-V, KVM, Azure, AWS, GCP, Citrix ADC MPX, or Citrix ADC SDX.

Further investigation by Citrix has shown that this issue also affects certain deployments of Citrix SD-WAN, specifically the Citrix SD-WAN WANOP edition. Citrix SD-WAN WANOP edition packages Citrix ADC as a load balancer thus resulting in the affected status.

Affected products:

• Citrix ADC and Citrix Gateway version 13.0 all supported builds before 13.0.47.24
• NetScaler ADC and NetScaler Gateway version 12.1 all supported builds before 12.1.55.18
• NetScaler ADC and NetScaler Gateway version 12.0 all supported builds before 12.0.63.13
• NetScaler ADC and NetScaler Gateway version 11.1 all supported builds before 11.1.63.15
• NetScaler ADC and NetScaler Gateway version 10.5 all supported builds before 10.5.70.12
• Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b

Solution: Exploits of this issue on unmitigated appliances have been observed in the wild. Citrix strongly urges affected customers to immediately upgrade to a fixed build OR apply the provided mitigation which applies equally to Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP deployments. Customers who have chosen to immediately apply the mitigation should then upgrade all of their vulnerable appliances to a fixed build of the appliance at their earliest schedule.

Palo Alto Networks

CVE-2020-2050 PAN-OS: Authentication bypass vulnerability in GlobalProtect client certificate verification

An authentication bypass vulnerability exists in the GlobalProtect SSL VPN component of Palo Alto Networks PAN-OS software that allows an attacker to bypass all client certificate checks with an invalid certificate. A remote attacker can successfully authenticate as any user and gain access to restricted VPN network resources when the gateway or portal is configured to rely entirely on certificate-based authentication. Impacted features that use SSL VPN with client certificate verification are GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN.

In configurations where client certificate verification is used in conjunction with other authentication methods, the protections added by the certificate check are ignored as a result of this issue.

Affected products:

• PAN-OS 8.1 versions earlier than PAN-OS 8.1.17
• PAN-OS 9.0 versions earlier than PAN-OS 9.0.11
• PAN-OS 9.1 versions earlier than PAN-OS 9.1.5
• PAN-OS 10.0 versions earlier than PAN-OS 10.0.1

Solution: This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.5, PAN-OS 10.0.1, and all later PAN-OS versions.

CVE-2020-2005 PAN-OS: GlobalProtect clientless VPN session hijacking

A cross-site scripting (XSS) vulnerability exists when visiting malicious websites with the Palo Alto Networks GlobalProtect clientless VPN that can compromise the user’s active session.

Affected products:

• PAN-OS 7.1 versions earlier than 7.1.26
• PAN-OS 8.1 versions earlier than 8.1.13
• PAN-OS 9.0 versions earlier than 9.0.7
• All versions of PAN-OS 8.0

Solution: This issue is fixed in PAN-OS 7.1.26, PAN-OS 8.1.13, PAN-OS 9.0.7, and all later versions of PAN-OS.

CVE-2019-1579 PAN-OS: Remote Code Execution in GlobalProtect Portal/Gateway Interface

Palo Alto Networks is aware of the reported remote code execution (RCE) vulnerability in its GlobalProtect portal and GlobalProtect Gateway interface products. The issue is already addressed in prior maintenance releases. (Ref: CVE-2019-1579)

Successful exploitation of this issue allows an unauthenticated attacker to execute arbitrary code.

Solution: PAN-OS 7.1.19 and later, PAN-OS 8.0.12 and later, and PAN-OS 8.1.3 and later releases.

SonicWall

CVE-2020-5135 SONIC-OS: A buffer overflow vulnerability

A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.

Without knowing any username and/or password, adversaries can simply send crafted requests to the SonicWALL HTTP(S) service and trigger memory corruption.

Affected products:

• SonicOS 6.5.4.7-79n and earlier 
• SonicOS 6.5.1.11-4n and earlier 
• SonicOS 6.0.5.3-93o and earlier
• SonicOSv 6.5.4.4-44v-21-794 and earlier
• SonicOS 7.0.0.0-1

Solution: A patch has been issued. SSL VPN portals may be disconnected from the internet as temporary mitigation before the patch is applied.

CVE-2019-7481 SonicOS: Blind SQL injection vulnerability which can be exploited remotely

Vulnerability in SonicWall SMA100 allow unauthenticated users to gain read-only access to unauthorized resources.

Affected products:

• SonicWall SMA100 9.0.0.3 and earlier

CVE-2019-7482 SonicOS: Execute arbitrary commands with nobody privileges on the device

Stack-based buffer overflow in SonicWall SMA100 allows an unauthenticated user to execute arbitrary code in the function libSys.so.

Affected products:

• SonicWall SMA100 9.0.0.3 and earlier

CVE-2019-7483 SonicOS: Pre-authentication vulnerability

In SonicWall SMA100, an unauthenticated Directory Traversal vulnerability in the handleWAFRedirect CGI allows the user to test for the presence of a file on the server.

Affected products:

• SonicWall SMA100 9.0.0.3 and earlier

Cisco Systems

CVE-2020-3220 Cisco IOS: Cisco IOS XE software IPsec VPN denial of service vulnerability

A vulnerability in the hardware crypto driver of Cisco IOS XE Software for Cisco 4300 Series Integrated Services Routers and Cisco Catalyst 9800-L Wireless Controllers could allow an unauthenticated, remote attacker to disconnect legitimate IPsec VPN sessions to an affected device.

The vulnerability is due to insufficient verification of the authenticity of received Encapsulating Security Payload (ESP) packets. An attacker could exploit this vulnerability by tampering with ESP cleartext values as a man-in-the-middle.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Affected products:

• Cisco 4300 Series Integrated Services Routers
• Cisco Catalyst 9800-L Wireless Controllers

Solution: Cisco provides the Cisco Software Checker to identify any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory (First fixed). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (Combined first fixed).

Moxa

CVE-2020-14511: Moxa’s EDR-G902 and EDR-G903 series secure routers / VPN servers sport a stack-based buffer overflow bug

Malicious operation of the crafted web browser cookie may cause a stack-based buffer overflow in the system web server on the EDR-G902 and EDR-G903 Series Routers (versions prior to 5.4). These secure routers/VPN servers sport a stack-based buffer overflow bug that could lead to RCE.

Widely used across critical infrastructure sectors such as manufacturing, energy, and transportation, Moxa EDR-G902, and EDR-G903 are industrial VPN servers with an all-in-one secure router, which includes a firewall and network access translation (NAT). Since EDR G902/G903 are often exposed to the internet, attackers could potentially leverage the discovered vulnerability as a gateway to targeted operational technology (OT) environments.

Moxa EDR-G902 and EDR-G903 use a GoAhead-based web server implemented in the /magicP/WebServer/webs binary to handle HTTP/HTTPS requests to port 80 and 443. To verify authentication, the websSecurityHandler function checks the cookie set by the client-side user before accessing any page.

Affected products:

• EDR-G902 Series
• EDR-G903 Series

Solution: Organizations unable to immediately apply the firmware update can adopt the following defensive measures recommended by CISA to recommend exploitation of this vulnerability:

• Minimize network exposure for all industrial control systems (ICS) and devices, ensuring they are not connected to the internet.
• Protect ICS systems and devices with firewalls, and isolate them from your organization’s business network.
• Leverage VPNs or other secure methods when remote access is required while keeping these defense measures updated to the most current version available.

What can be done?

According to the NSA, to maintain a secure VPN, network administrators should perform the following tasks on a regular basis:

• Reduce the VPN gateway attack surface
• Verify that cryptographic algorithms are Committee on National Security Systems Policy (CNSSP) 
• Avoid using default VPN settings
• Remove unused or non-compliant cryptography suites
• Apply vendor-provided updates (i.e. patches) for VPN gateways and clients

Additionally, you can;

• For unauthorized changes search all configuration options. This includes the authorized key file of the SSH, new rules, and commands for IPtables to run on clients. 
• Check and monitor VPN logs and network traffic. Verify connections from unusual IP addresses, particularly those returned with successful connections or long data lengths.
• You may want your device to be wiped if you think there has been exploitation but you are not able to find any proof of any changes. Follow the guidelines of the producer for this.

• Enable 2FA (two-factor authentication) for the VPN to protect itself from password replay attacks in two-factor authentication.
• Disable any functionality and ports on the VPN which are not required, or used.

SOCRadar can help

With SOCRadar Vulnerability Management you can prioritize patching by laser-focusing on your digital footprint.

Hackers see what you don’t see

Gartner states that only roughly one-eighth of all vulnerabilities in the past decade were actually exploited in the wild. Many of them are frequently reused and leveraged in a wide range of threats, such as Remote Access Trojans (RATs) and ransomware. Taking external-facing vulnerable services into perspective, SOCRadar is committed to providing you with actionable insights and context while speeding up the prioritization process.

Vulnerability trends

Get a threat landscape-centric view of global vulnerability trends to better-prioritize patching through the easy-to-use Vulnerability Intelligence dashboard of SOCRadar, gain insights into which vulnerabilities are being leveraged by threat actors.

Cryptographic infrastructure

Avoid being vulnerable to SSL/TLS attacks, such as Heartbleed Bug, POODLE, Freak by monitoring your cryptographic infrastructure by signature signing algorithms, the presence of insecure ciphers, certificate validity, and expiration.

Exposed critical ports

Monitor continuously your perimeter for critical open ports like RDP to prevent disruptive breaches, rapidly access, and download auto-generated reports about exposed ports and network services by type, FQDNs, IP addresses.

Shadow IT

Discover and monitor all your forgotten external-facing assets including CMSs, network applications, SSL certificates, and JavaScript libraries to get timely alerts of the latest critical vulnerabilities.

JavaScript threats

Detect unmaintained JS libraries which often contain vulnerabilities such as cross-site scripting (XSS), cross-site request forgery, and buffer overflows.

Try SOCRadar free VPNRadar to test your VPN security (VPN Radar – SOCRadar LABS)

Non-intrusive and instant testing tool will check if there’s any:

• Malware or bot-infected VPN user device
• Unpatched critical vulnerability
• Cryptographic infrastructure issue
• Man-in-the-middle (MITM) risk
• And more…

Discover SOCRadar® Community Edition for free

With SOCRadar® Community Edition, you’ll be able to:

• Discover your unknown hacker-exposed assets
• Check if your IP addresses tagged as malicious
• Monitor your domain name on hacked websites and phishing databases
• Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.