Last week, the National Cyber Security Centre (NCSC) reported that they are investigating the exploitation, by Advanced Persistent Threat (APT) actors, of known vulnerabilities in VPN products. These VPN products are from vendors like Pulse secure, Palo Alto and Fortinet.
It is an ongoing activity, targeted to the UK and other international organizations. According to NCSC, affected sectors include government, military, academic, business and healthcare.
Vulnerabilities exist in several SSL VPN products
As per the report, vulnerabilities exist in several SSL VPN products that can allow an attacker to retrieve arbitrary files containing authentication credentials. An attacker can use these stolen credentials to connect to the VPN and change configuration settings or connect to further internal infrastructure.
The report also highlights that unauthorized connection to a VPN can provide the attacker with the privileges needed to run secondary exploits aimed at accessing a root shell.
Top Vulnerabilities in VPN exploited by APTs
The highest-impact vulnerabilities known to be exploited by APTs are listed below:
Pulse Connect Secure:
- CVE-2018-13379: Pre-auth arbitrary file reading
- CVE-2018-13382: Allows an unauthenticated attacker to change the password of an SSL VPN web portal user
- CVE-2018-13383: Post-auth heap overflow. This allows an attacker to gain a shell running on the router
- CVE-2019-1579: Palo Alto Networks GlobalProtect Portal
NCSC suggests that users of these VPN products should investigate their logs for evidence of compromise, especially if the security patches were not applied immediately after their release. Additionally, administrators should look for evidence of compromised accounts in active use, such as anomalous IP locations or times. The report also covers product-specific advice to detect exploitation in VPN connections.
Steps to mitigate the vulnerabilities in VPN
NCSC provides essential steps to be taken to mitigate the risk of these vulnerabilities. They suggest that owners of vulnerable products should take two steps promptly:
- Apply the latest security patches released by vendors
- Reset authentication credentials associated with affected VPNs and accounts connecting through them
The most effective way to mitigate the risk of actors exploiting these vulnerabilities is to ensure that the affected products are patched with the latest security updates. Pulse secure, Palo Alto and Fortinet have released patches for these vulnerabilities. NCSC also emphasizes on reporting any current activity related to these threats at [email protected] where they will offer help and guidance.
On Hacker News, this report has gained significant traction and users are discussing the nature of various VPN products and services. One of them commented, “Commercial enterprise VPN products are an open sewer, and there aren’t any, from any vendor, that I trust. I don’t like OpenVPN or strongSwan, but you’d be better off with either of them than you would be with a commercial VPN appliance. The gold standard, as ever, is Wireguard.”
To know more about this report, check out the official NCSC website.