Exposed: Critical Vulnerabilities in Remote Access VPNs

 

Over the last year or so we have seen an uptick in critical vulnerabilities which have left industry leading vendors rushing around to push out mitigations and updates for their firewalls and remote access appliances.

These are vulnerabilities rated as high as 10 by Mitre in terms of their CVSS score which in the vulnerabilities world (unlike professional gymnastics) is as bad as it gets!

According to CISA (Americas Cyber Defence Agency) there have been over 314 discovered VPN vulnerabilities issues since 2021 and of course those are only the ones they (we) known about. These include vulnerabilities around remote code execution, denial of service,  privilege escalation and information disclosure attacks that are actively being exploited. This number roughly translates to a 25% increase year on year.

The Dutch National Cyber Security Centre reported in June this year that they believe at least 20,000 FortiGate firewalls were compromised due to CVE-2022-42475 – a critical (9.8) buffer overflow bug in FortiOS SSL-VPN allowing for remote code execution.

Ivanti VPN products including Avanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure Gateways announced multiple critical vulnerabilities (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893) which included authentication bypass and remote code execution. This was so severe that the recommendation was to disconnect the affected devices immediately until patches became available, even then a full factory reset was advised.

 

Are you at Risk?

Anyone out there who doesn’t have an effective firewall management plan or believes that a third party is looking after them on their behalf, really needs to be proactive today.

 

The Solution:

Whilst vulnerabilities are inevitable and attackers are always looking for the next way in there are steps which can be taken to better protect against these issues:

    1. Multi-Factor Authentication. Is MFA good enough, that’s an another topic entirely but nevertheless there are still lots of organisations not requiring MFA. Also, don’t assume MFA is working as we still do far too many security assessments and find MFA disabled where it was supposed to be enabled.

 

    1. Keep firmware up-to-date is a MUST! Monitor your chosen vendors’ feeds for any announcements regarding updates and vulnerabilities and ensure they are applied quickly when critical updates become available. Perform your own vulnerability scanning too to monitor your internet perimeter or use a security service to do this for you and highlight any critical vulnerabilities visible over the internet.

 

    1. Network based IPS. Whilst waiting for updates organisations are often left exposed but in many cases vendors do release detection signatures which can identify attack patterns or exploitation behaviour and stop it in its tracks. This may be thought of as virtual patching and is actually marketed as such by some vendors. Whether a next-gen firewall’s own IPS functionality can be used for this or another dedicated network intrusion toolset.

 

    1. Consider a new architecture for remote access. Secure Access Service Edge (SASE) is starting to gain popularity where basically organisations can use a cloud based platform for remote access, as well as other services such as web, firewall and application security. Its entirely plausible these platforms may suffer from time-to-time with vulnerabilities however.

 

  1. Finally, don’t forget to log and monitor for suspicious activities. Whilst in recent years much of the monitoring and detection focus has been on endpoint detection and response, our advice is don’t forget the network. Identifying and stopping malicious activity at the network level could nip an attack in the bud before a host is even compromised.

 

**

One phrase I’ve not mentioned above and that’s gaining traction in the realm of cyber security is Zero Trust. By adopting the ZTNA (Zero Trust Network Access) methodology and integrating it into your current and future infrastructure plans, you’d be doing most of the suggested steps above (taking into account effective planning and configuration).

By adopting a Zero Trust model, organisations are essentially verifying every user and device trying to access their network, regardless of whether they are inside or outside the traditional network perimeter. This means that even if a user is using a VPN to connect remotely, they still need to go through the same rigorous authentication and authorisation processes as if they were physically in the office. This helps to mitigate the risks associated with VPN vulnerabilities and ensures that only authorised individuals are able to access sensitive company resources.

This was covered in a recent webinar, A Guide to Modern Network Security Through Zero Trust and SASE, which can be watched here.

Content