Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Enterprise VPN Vulnerabilities Expose Organizations to Hacking, Espionage

Critical vulnerabilities in enterprise virtual private network (VPN) solutions from Palo Alto Networks, Fortinet and Pulse Secure allow attackers to infiltrate corporate networks, obtain sensitive information, and eavesdrop on communications, researchers warn.

Critical vulnerabilities in enterprise virtual private network (VPN) solutions from Palo Alto Networks, Fortinet and Pulse Secure allow attackers to infiltrate corporate networks, obtain sensitive information, and eavesdrop on communications, researchers warn.

Orange Tsai and Meh Chang of the research team at security consulting firm DEVCORE told SecurityWeek that they set out to find the most serious types of vulnerabilities in these products — namely unauthenticated remote code execution — and they claim to have achieved their goal.

The vulnerabilities were identified in Palo Alto Networks GlobalProtect, Fortinet FortiGate (FortiOS), and Pulse Secure’s Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS). Each of the impacted vendors has released patches and advisories for their customers.

In the Pulse Secure products the researchers said they identified a total of 7 vulnerabilities, including an arbitrary file read issue that can be exploited without authentication, and post-authentication stack buffer overflow, command injection, arbitrary file read/write, session hijacking, and cross-site scripting (XSS) flaws.

Orange Tsai told SecurityWeek that they combined the unauthenticated file read issue (CVE-2019-11510) with a post-authentication command injection bug (CVE-2019-11539) to achieve remote code execution.

In the case of the FortiGate SSL VPN, the researchers discovered arbitrary file read, XSS and heap overflow flaws that can be exploited without authentication, as well as a post-authentication heap overflow, and a weakness that can be exploited to modify any user’s password. They chained an unauthenticated arbitrary file read issue (CVE-2018-13379) with a post-authentication heap overflow (CVE-2018-13382) to achieve remote code execution.

Enterprise VPN vulnerabilities

The researchers plan on detailing their findings at the upcoming Black Hat USA and DEFCON conferences next month, but they have already shared some details and proof-of-concept (PoC) code for the remote code execution vulnerability affecting the Palo Alto Networks products. During their analysis of the GlobalProtect flaw, they noticed that the product had been used by Uber on 22 of its servers.

“An attacker can gain the root shell on the target SSL VPN system with no authentication required! The only thing he needs to do is to send several malicious/crafted requests,” Orange Tsai said about the vulnerabilities in an email.

Advertisement. Scroll to continue reading.

He says an attacker can exploit the vulnerabilities to infiltrate an organization’s intranet and access internal services storing sensitive data, they can obtain personal information and passwords belonging to employees, and they can extract private keys that would allow them to decrypt HTTPS connections and eavesdrop on communications.

“Moreover, we propose a new method to hack back all the VPN clients! With our research, we can not only compromise the corporation network but also the employee’s personal laptop,” the researcher explained.

Pulse Secure told SecurityWeek that it released patches on April 24, roughly one month after being notified.

“Pulse Secure is not aware of any exploit of this vulnerability,” Pulse Secure said. “Users that have enabled logging of unauthenticated access to their appliance would know if a breach has occurred by looking at the system logs. Audit logging is a security best practice, as a vulnerability scanner would not have detected this vulnerability. It would have been very difficult to exploit this vulnerability because it requires in-depth knowledge of the Pulse Connect Secure product, as well as a specially crafted URI (Uniform Resource Identifier) string and an untraditional combination of steps.”

Fortinet fixed the flaws with FortiOS updates released in May. The company has published individual advisories for each of the vulnerabilities.

Palo Alto Networks said it identified the vulnerability internally before it was contacted by the researchers and released patches. However, the company only released an advisory this month, after the experts made their findings public.

Related: BlackBerry Cylance Downplays, Patches Antivirus Bypass

Related: Several Vulnerabilities Found in Comodo Antivirus

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...