Researchers Unearth New VPN Vulnerabilities

Researchers Unearth New VPN Vulnerabilities

Over the past few days, details about security vulnerabilities relating to virtual private network (VPN) have been disclosed by security researchers.

Immersive Labs researcher and content engineer Alex Seymour recently disclosed that he found two security vulnerabilities, one referred to as CVE-2019-17387 and the other security vulnerability referred to as CVE-2019-17388, in Aviatrix VPN, an enterprise VPN used by organizations such as the National Aeronautics and Space Administration (NASA).

CVE-2019-17387, in particular, allows an attacker to gain elevated privileges through arbitrary code execution on these operating systems: Windows, Linux and macOS. While Aviatrix uses certificates to validate legitimate VPN users, preventing supposedly unauthorized access, Immersive Labs said that a bit of digging reveals that relevant private key and certificates can be retrieved inside the file stored in the user’s operating system’s temporary directory.

This file revealing relevant key and certificates can also be recreated. “With all this information in hand, it is possible to craft requests to the service and gain code execution by passing commands wrapped in subshells in args instead of the expected file paths,” Immersive Labs said. 

CVE-2019-17388, meanwhile, allows an attacker to execute arbitrary code by gaining elevated privileges through file modifications in Windows and Linux. As Aviatrix has weak file permissions set on the installation directory in Linux, Immersive Labs said it’s possible to modify the code with elevated privileges. In Windows, due to Aviatrix’ file permissions, Immersive Labs said it’s possible to replace the service executable with a malicious executable. In Windows though, the VPN service has to be stopped before the file can be replaced with a malicious one, which needs either an administrator account or the relevant permissions to restart the service.

“People tend to think of their VPN as one of the more secure elements of their security posture, so it should be a bit of a wakeup call for the industry,” said Alex Seymour, discoverer of security vulnerabilities CVE-2019-17387 and CVE-2019-17388 in Aviatrix VPN. Seymour reported the security vulnerabilities to Aviatrix on October 7, 2019. Aviatrix, meanwhile, on November 4, 2019 released a patch for the said security vulnerabilities.

Hijacking of VPN Connections

Researchers at Breakpointing Bad and

University of New Mexico, meanwhile, disclosed a new vulnerability that allows attackers to hijack VPN connections. According to the researchers, these three steps are needed to hijack a VPN connection:

  1. Determine the VPN client’s virtual IP address;
  1. Use the virtual IP address to make inferences about active connections; and
  1. Use the encrypted replies to unsolicited packets to determine the sequence and acknowledgment numbers of the active connection to hijack the TCP session.

Operating systems tested to be vulnerable to hijacking VPN connections include Linux, FreeBSD, OpenBSD, MacOS, iOS and Android. The researchers added that this security vulnerability works on any VPN products. “It should be noted, however, that the VPN technology used does not seem to matter and we are able to make all of our inferences even though the responses from the victim are encrypted, using the size of the packets and number of packets sent (in the case of challenge ACKs, for example) to determine what kind of packets are being sent through the encrypted VPN tunnel,” the researchers said.

Active Exploitation of VPN Vulnerabilities

In August of this year, the Canadian Centre for Cyber Security issued an alert, warning the public about the active exploitation of VPN vulnerabilities. The alert then referred only to the active exploitation of vulnerabilities in Fortinet Fortigate VPN, Palo Alto GlobalProtect VPN, and Pulse Connect Secure and Pulse Policy Secure VPN. 

Vulnerabilities in Fortinet Fortigate VPN include allowing attackers to conduct the following malicious acts: change SSL VPN user passwords, view sensitive information including plaintext usernames and passwords, cross-site scripting and execute code on the VPN server.

Vulnerability in Palo Alto GlobalProtect VPN allows an attacker to execute arbitrary code on the VPN server, while vulnerability in Pulse Connect Secure and Pulse Policy Secure VPN allows an attacker to view cached plaintext user passwords and other sensitive information.

VPN product vendors Fortinet, Palo Alto and Pulse Connect Secure have already released patches for the above-mentioned security vulnerabilities. 

Preventive and Mitigating Measures

To stop the active exploitation of the security vulnerabilities in Aviatrix VPN, Fortinet Fortigate VPN, Palo Alto GlobalProtect VPN, and Pulse Connect Secure and Pulse Policy Secure VPN, it’s important to apply the security updates or patches released by the respective VPN product vendors.

In the case of the security vulnerability disclosed by researchers at Breakpointing Bad and University of New Mexico, the following mitigating measures were put forward:

  1. Turning Reverse Path Filtering On

The researchers, however, warned that even turning reverse path filtering on, the first two parts of the attack can be completed, and it may be possible to carry out the entire attack although they haven’t accomplished this yet.

  1. Bogon filtering

The potential problem with bogon filtering, the researchers said is that local network addresses used for VPNs and local networks, and including some countries like Iran “use the reserved private IP space as part of the public space.” 

3. Encrypt Packet Size and Timing

For this third mitigating measure, the researchers said:”Since the size and number of packets allows the attacker to bypass the encryption provided by the VPN service, perhaps some sort of padding could be added to the encrypted packets to make them the same size. Also, since the challenge ACK per-process limit allows us to determine if the encrypted packets are challenge ACKs, allowing the host to respond with equivalent-sized packets after exhausting this limit could prevent the attacker from making this inference.”

Many companies use VPN and take its security for granted. Speak with our experts today and find out instantly if your organization is at risk.

Call today (416) 920-3000 or email us at sales@genx.ca

Leave a Reply

Your email address will not be published.

Researchers Unearth New VPN Vulnerabilities

Researchers Unearth New VPN Vulnerabilities

Over the past few days, details about security vulnerabilities relating to virtual private network (VPN) have been disclosed by security researchers.

Immersive Labs researcher and content engineer Alex Seymour recently disclosed that he found two security vulnerabilities, one referred to as CVE-2019-17387 and the other security vulnerability referred to as CVE-2019-17388, in Aviatrix VPN, an enterprise VPN used by organizations such as the National Aeronautics and Space Administration (NASA).

CVE-2019-17387, in particular, allows an attacker to gain elevated privileges through arbitrary code execution on these operating systems: Windows, Linux and macOS. While Aviatrix uses certificates to validate legitimate VPN users, preventing supposedly unauthorized access, Immersive Labs said that a bit of digging reveals that relevant private key and certificates can be retrieved inside the file stored in the user’s operating system’s temporary directory.

This file revealing relevant key and certificates can also be recreated. “With all this information in hand, it is possible to craft requests to the service and gain code execution by passing commands wrapped in subshells in args instead of the expected file paths,” Immersive Labs said. 

CVE-2019-17388, meanwhile, allows an attacker to execute arbitrary code by gaining elevated privileges through file modifications in Windows and Linux. As Aviatrix has weak file permissions set on the installation directory in Linux, Immersive Labs said it’s possible to modify the code with elevated privileges. In Windows, due to Aviatrix’ file permissions, Immersive Labs said it’s possible to replace the service executable with a malicious executable. In Windows though, the VPN service has to be stopped before the file can be replaced with a malicious one, which needs either an administrator account or the relevant permissions to restart the service.

“People tend to think of their VPN as one of the more secure elements of their security posture, so it should be a bit of a wakeup call for the industry,” said Alex Seymour, discoverer of security vulnerabilities CVE-2019-17387 and CVE-2019-17388 in Aviatrix VPN. Seymour reported the security vulnerabilities to Aviatrix on October 7, 2019. Aviatrix, meanwhile, on November 4, 2019 released a patch for the said security vulnerabilities.

Hijacking of VPN Connections

Researchers at Breakpointing Bad and

University of New Mexico, meanwhile, disclosed a new vulnerability that allows attackers to hijack VPN connections. According to the researchers, these three steps are needed to hijack a VPN connection:

  1. Determine the VPN client’s virtual IP address;
  1. Use the virtual IP address to make inferences about active connections; and
  1. Use the encrypted replies to unsolicited packets to determine the sequence and acknowledgment numbers of the active connection to hijack the TCP session.

Operating systems tested to be vulnerable to hijacking VPN connections include Linux, FreeBSD, OpenBSD, MacOS, iOS and Android. The researchers added that this security vulnerability works on any VPN products. “It should be noted, however, that the VPN technology used does not seem to matter and we are able to make all of our inferences even though the responses from the victim are encrypted, using the size of the packets and number of packets sent (in the case of challenge ACKs, for example) to determine what kind of packets are being sent through the encrypted VPN tunnel,” the researchers said.

Active Exploitation of VPN Vulnerabilities

In August of this year, the Canadian Centre for Cyber Security issued an alert, warning the public about the active exploitation of VPN vulnerabilities. The alert then referred only to the active exploitation of vulnerabilities in Fortinet Fortigate VPN, Palo Alto GlobalProtect VPN, and Pulse Connect Secure and Pulse Policy Secure VPN. 

Vulnerabilities in Fortinet Fortigate VPN include allowing attackers to conduct the following malicious acts: change SSL VPN user passwords, view sensitive information including plaintext usernames and passwords, cross-site scripting and execute code on the VPN server.

Vulnerability in Palo Alto GlobalProtect VPN allows an attacker to execute arbitrary code on the VPN server, while vulnerability in Pulse Connect Secure and Pulse Policy Secure VPN allows an attacker to view cached plaintext user passwords and other sensitive information.

VPN product vendors Fortinet, Palo Alto and Pulse Connect Secure have already released patches for the above-mentioned security vulnerabilities. 

Preventive and Mitigating Measures

To stop the active exploitation of the security vulnerabilities in Aviatrix VPN, Fortinet Fortigate VPN, Palo Alto GlobalProtect VPN, and Pulse Connect Secure and Pulse Policy Secure VPN, it’s important to apply the security updates or patches released by the respective VPN product vendors.

In the case of the security vulnerability disclosed by researchers at Breakpointing Bad and University of New Mexico, the following mitigating measures were put forward:

  1. Turning Reverse Path Filtering On

The researchers, however, warned that even turning reverse path filtering on, the first two parts of the attack can be completed, and it may be possible to carry out the entire attack although they haven’t accomplished this yet.

  1. Bogon filtering

The potential problem with bogon filtering, the researchers said is that local network addresses used for VPNs and local networks, and including some countries like Iran “use the reserved private IP space as part of the public space.” 

3. Encrypt Packet Size and Timing

For this third mitigating measure, the researchers said:”Since the size and number of packets allows the attacker to bypass the encryption provided by the VPN service, perhaps some sort of padding could be added to the encrypted packets to make them the same size. Also, since the challenge ACK per-process limit allows us to determine if the encrypted packets are challenge ACKs, allowing the host to respond with equivalent-sized packets after exhausting this limit could prevent the attacker from making this inference.”

Many companies use VPN and take its security for granted. Speak with our experts today and find out instantly if your organization is at risk.

Call today (416) 920-3000 or email us at sales@genx.ca

Leave a Reply

Your email address will not be published.