VPN security flaw could enable attackers to crack a network without user name or password
Warning over VPNs from Palo Alto Networks, Fortinet and Pulse Secure after researchers uncover new security flaw
Researchers at Devcore claim to have discovered security flaws in three popular corporate VPNs that could enable attackers to steal confidential information from a company's network.
The security flaws affect three corporate virtual private networks (VPN) providers, namely, Palo Alto Networks, Fortinet, and Pulse Secure, according to Orange Tsai and Meh Chang, the security researchers who first noticed those bugs.
VPNs are used to encrypt traffic between points on the internet, extending a private network across a public network. They are often used to enable staff working remotely to access resources on their organisation's corporate network.
Usually, companies provide their staff with a corporate username and password that need to be entered, along with a two-factor authentication code, before access to the company's network can be granted for the VPN.
But, Chang and Tsai claim that the flaws they unearthed could enable anyone to silently break into a company's network, without requiring a username/password.
According to Tsai, while a SSL VPN is a convenient way to connect to corporate networks, it also provides an easy way for hackers to infiltrate a company's intranet.
"A few SSL VPN vendors dominate the market. Therefore, if we find any vulnerability on these vendors, the impact is huge," Tsai told TechCrunch, ahead of a presentation at the Black Hat USA event in August.
In an online blog post, the researchers described the format string flaw affecting Palo Alto's GlobalProtect portal and GlobalProtect Gateway products.
The remote code execution flaw, indexed as CVE-2019-1579, exists in the PAN SSL Gateway and, if exploited, could enable unauthenticated threat actors to remotely execute arbitrary code on the target systems.
The vulnerability affects only older versions of the software, but which is still widely used across the world including, the researchers point out, by ride-sharing firm Uber.
In their research, researchers found that 22 Uber-owned servers using a vulnerable version of GlobalProtect.
The company quickly updated its software when it was informed about the security vulnerability, but said that majority of staff were not using the Palo Alto VPN as a primary VPN.
Palo Alto has already published an advisory to alert its customers about the vulnerability. The company has also advised users to update their software to the latest version as quickly as possible. Fortinet has also updated its firmware to address the vulnerability.
Pulse Secure, meanwhile, says it released a patch in April to address the issue.
It is not the first time that security flaws have been highlighted in VPN software, although the focus in recent years has typically been on free or subscription apps enabling people to surf the internet in private.
Last year, an investigation by Metric Labs revealed that the majority of the top-ranking free VPN apps on Google Play and the Apple App Store are either based in China, or have some kind of Chinese ownership.
In May, US Department of Homeland Security director Christopher Krebs also warned that mobile VPN apps pose a significant security risk as several VPN services were being used by nation-state threat actors to eavesdrop on users.