Researchers have found several security flaws in popular corporate VPNs which they say can be used to silently break into company networks and steal business secrets.
Devcore researchers Orange Tsai and Meh Chang, who shared their findings with TechCrunch ahead of their upcoming Def Con talk, said the flaws found in the three corporate VPN providers — Palo Alto Networks, Pulse Secure and Fortinet — are “easy” to remotely exploit.
These VPNs — or virtual private networks — aren’t your traditional consumer VPN apps designed to mask where you are and hide your identity, but are used by staff who work remotely to access resources on a company’s network. Typically employees must enter their corporate username and password, and often a two-factor code. By connecting over an HTTPS (SSL) connection, these providers create a secure tunnel between the user’s computer and the corporate network.
But Tsai and Chang say the bugs they found allow anyone to covertly burrow into a company’s network without needing a working username or password.
“We could compromise the VPN server and corporate intranet with no authentication required, compromise all the VPN clients, and steal all secrets from the victims,” Tsai told TechCrunch an email.
“The SSL VPN is the most convenient way to connect to corporate networks,” Tsai said. “On the other hand, for hackers, SSL VPN must be exposed to the internet, so it’s also the shortest path to compromise their intranet.”
“A few SSL VPN vendors dominate the market — therefore, if we find any vulnerability on these vendors, the impact is huge,” he said.
In their first write-up detailing the Palo Alto bug, the researchers said a simple format string flaw — such as inputted text that isn’t properly understood by the server — is enough to crash the service altogether. Several major companies use Palo Alto’s GlobalProtect VPN — including Uber — they said.
The researchers tested the bug on one of Uber’s internal Palo Alto-run servers, they said. Uber quickly fixed the bug, but said its internal infrastructure was safe.
The researchers also used the vulnerabilities to expose flaws in systems belonging to Twitter, said Tsai. “We got the root privilege on Twitter’s most important VPN server successfully and got the highest severity and the highest bounty from their bounty program,” he said.
When the researchers privately contacted Palo Alto about the bugs, the company said the bugs had already been “found internally” and did not issue a corresponding public security advisory. Following Tsai and Chang’s write-up, some were critical of Palo Alto’s response. Security researcher Kevin Beaumont said in a tweet that it looked like the security giant issued a “silent fix” for this “really serious bug” without alerting anyone. About one-third of the internet-connected boxes he tested were vulnerable as of last week, he tweeted.
Palo Alto eventually issued an advisory, a day after Tsai and Chang posted their blog post detailing the bugs.
Fortinet also released advisories for their respective bugs and have updated new firmware to fix the vulnerabilities. System administrators are advised to update their vulnerable gateways to the latest versions.
Pulse Secure’s chief marketing officer Scott Gordon said the company notified its customers of the vulnerability, and an available patch, in late April. Gordon said the company is “not aware” of any exploit.
Palo Alto acknowledged it fixed the bugs but did not address criticism from the security community.
A spokesperson for Fortinet did not comment when reached prior to publication.
It’s the latest round of VPN-related bugs this year. In April, Homeland Security warned enterprises about a rash of vulnerabilities in many major corporate VPN providers — also affecting Palo Alto and Pulse Secure, as well as Cisco and F5 Networks.
Tsai and Chang are set to release details of the Pulse Secure and Fortinet flaws in the coming days.