I strongly encourage everyone to use a VPN when they access the internet. It doesn’t matter if you’re a big corporate network, or an individual consumer watching YouTube on your phone. If you use unencrypted TCP/IP protocols, transmitting cleartext gives cyber attackers an easy way to hijack your phone, tablet or PC. Even if you do use encrypted protocols, using a VPN still gives you an extra layer of encryption so that your sensitive financial and personal data are more secure.
But just like with TLS certificates and the HTTPS web protocol, your VPN encryption is only as secure as its implementation. If your encryption is improperly implemented, it’s useless. It’s like having an extra strong lock on your door, but an easily breakable window is next to it and it’s large enough for an adult to crawl through.
Cyber attackers will often try to find ways to bypass encryption rather than try to crack the cipher itself. And quite frequently, they’re successful. Advanced Persistent Threat (APT) groups have been caught exploiting vulnerabilities in a few popular VPN services. The danger is so serious that both the US National Security Agency (NSA) and the UK National Cyber Security Centre (NCSC) are trying to warn as many people as they can about it.
The vulnerabilities affect Pulse Secure, Palo Alto GlobalProtect and Fortinet Fortigate. The specific versions of the VPNs that are vulnerable include:
- Pulse Connect Secure 9.0RX
- Pulse Connect Secure 8.3RX
- Pulse Connect Secure 8.2RX
- Pulse Connect Secure 8.1RX
- Pulse Policy Secure 9.0RX
- Pulse Policy Secure 5.4RX
- Pulse Policy Secure 5.3RX
- Pulse Policy Secure 5.2RX
- Pulse Policy Secure 5.1RX
- Palo Alto GlobalProtect SSL VPN 7.1.x < 7.1.19
- Palo Alto GlobalProtect SSL VPN 8.0.x < 8.0.12
- Palo Alto GlobalProtect SSL VPN 8.1.x < 8.1.3
- Fortinet FortiOS 6.0.0 to 6.0.4
- Fortinet FortiOS 5.6.3 to 5.6.7
From the NCSC’s alert:
“The NCSC is investigating the exploitation, by Advanced Persistent Threat (APT) actors, of known vulnerabilities affecting Virtual Private Network (VPN) products from vendors Pulse Secure, Fortinet and Palo Alto.
This activity is ongoing, targeting both UK and international organisations. Affected sectors include government, military, academic, business and healthcare. These vulnerabilities are well documented in open source, and industry data indicates that hundreds of UK hosts may be vulnerable.
Vulnerabilities exist in several SSL VPN products which allow an attacker to retrieve arbitrary files, including those containing authentication credentials.
An attacker can use these stolen credentials to connect to the VPN and change configuration settings, or connect to further internal infrastructure.
Unauthorised connection to a VPN could also provide the attacker with the privileges needed to run secondary exploits aimed at accessing a root shell.”
Two of the vulnerabilities, CVE-2019-11539, and CVE-2019-1579, are remote execution bugs which affect Pulse Secure's Pulse Connect Secure and Pulse Policy Secure, and Palo Alto GlobalProtect VPN. The first vulnerability affects the admin web interface and it “allows an authenticated attacker to inject and execute commands.” The latter “may allow an unauthenticated remote attacker to execute arbitrary code” if the GlobalProtect Portal or GlobalProtect Gateway Interface is enabled.
Another two of the vulnerabilities, CVE-2019-11510 and CVE-2018-13379, allow for pre-authentication arbitrary file reading. The first allows for an unauthenticated remote attacker to “send a specially crafted URI to perform an arbitrary file reading vulnerability,” and the second allows "unauthenticated attacker to download system files via special crafted HTTP resource requests" through Fortinet's web portal.
What are the worst things that can happen in encrypted tunnels? Read the white paper.
Cyber warfare and their related APTs are a serious, ongoing threat that I expect to only get worse as the years go on. They can acquire sensitive financial data, compromise internal enterprise networks, or even shut down power grids and other industrial facilities. It's more important than ever to patch all of your software so vulnerabilities don't sit around waiting to be exploited.
If your organization uses Pulse, Palo Alto, or Fortinet VPNs, you must install their latest patches as soon as possible. All of the vulnerabilities I’ve mentioned now have patches available. And if you use any other VPNs, make sure those are patched too.
Vendors work hard to develop patches when they’re aware that vulnerabilities exist. But all of their hard work won’t help your organization if you don’t install their patches. So update all of your VPN software! You might just be averting a disaster in the making.