Remote work has become a reality at many companies, and as such, Virtual Private Networks (VPNs) are a key component of many organization’s cybersecurity tool kits. VPNs designed for enterprise use go well beyond those marketed at consumers in either the Google Play or App stores which can mask your location and identity while waiting for a latte. Enterprise VPNs are specifically designed to allow remote workers secure access between their company-issued device and the organization’s network. Imagine, however, a flaw in your VPN that threat actors could leverage to secretly access your network. A team of security researchers are claiming they have found such a vulnerability.
Orange Tsai and Meh Chang, researchers with Devcore, previewed their findings for Zak Whittaker of Tech Crunch ahead of their presentation at the upcoming Black Hat conference in Las Vegas. According to Tsai and Chang, three enterprise VPN providers (Palo Alto Networks, Pulse Secure, and Fortinet) have flaws in their products that “are ‘easy’ to remotely exploit.”
Tsai told Tech Crunch that the vulnerability they found allowed them to “compromise the VPN server and corporate intranet with no authentication required, compromise all the VPN clients, and steal all secrets from the victims.” Tsai also noted that since only a few SSL VPN vendors control most of the market share, a vulnerability of this scale could have a serious impact.
There are some major organizations among those that the Devcore researchers were able to access via the flaw in the Palo Alto VPN, including Uber and Twitter. When Devcore reached out to Palo Alto Networks, they were told that the bugs had already been discovered, and as such, the company did not issue an advisory, choosing instead to release a “silent fix.” Though it would require that security teams package and release timely updates for their own end points to be effective.
Fortinet and Pulse Secure have both notified their customers, and have issued patches and/or firmware updates to address the issues.
If you are heading to this year’s Black Hat Conference in Las Vegas, Nevada, Tsai and Chang will be presenting their findings on Wednesday, August 7 in an afternoon session.