VPNs have been a cornerstone of secure networking for the last 20+ year. They provide employees and third parties with secure remote access to corporate networks and services. However, as technology evolves, most VPNs lack the ability to enforce the narrow, granular permissions that enterprises require.
Cybercriminals are exploiting these vulnerabilities to launch attacks against popular enterprise VPN products Pulse Secure and Fortinet's FortiGate. In mid August, threat intelligence website Bad Packets reported that their honeypots detected opportunistic mass scanning activity from a host in Spain that was targeting Pulse Secure’s “Pulse Connect Secure” VPN server endpoints vulnerable to CVE-2019-11510. This arbitrary file reading vulnerability allows sensitive information disclosure, which allows unauthenticated attackers to access private keys and user passwords. They found that 14,528 Pulse Secure VPN endpoints were vulnerable to CVE-2019-11510 in 121 countries in 2,535 systems.
The vulnerabilities were initially disclosed in a lecture titled “Infiltrating Corporate Intranet Like NSA: Pre-auth RCE on Leading SSL VPNs" at this summer’s Black Hat. In a correlating blog post, presenters Meh Chang and Orange Tsai detailed their POC launched against SSL VPNs. The POC was intended to determine whether SSL VPNs, while very convenient, areas secure as site-to-site VPNs. Turns out, they contain some critical vulnerabilities that with the right know-how, can be exploited. And though Chang and Tsai didn’t disclose the final malicious string that makes the entire exploit work, it was only a matter of time before attackers figured it out and used it against the VPNs in question.
Both companies apparently knew about the vulnerabilities before they were exploited in the POC and had urged users to patch their VPNs as long as four months ago — but to this day, many remain unpatched.
It comes as no surprise that VNPs alone are exploitable. Experts and security firms have been saying for years that sensitive enterprises should be moving away from VPNs to solutions like Software Defined Perimeters, which provide access on a highly granular basis. But many organizations have invested so heavily in their VPN infrastructure and rely on them for convenient access. In many cases, migrating away from a solution that works (even if not optimally) doesn't seem to make sense.
ZoneZero™ is the first ever Software Defined Perimeter (SDP, otherwise known as Zero Trust Network Access) solution designed to enhance organizations’ existing Virtual Private Network (VPN) security with Zero Trust capabilities and minimum infrastructure changes. It is built to work together with your existing VPN infrastructure, enhancing VPN security by adding SDP capabilities while yielding a more fortified SDP and VPN infrastructure together. Deploying Safe-T ZoneZero™ allows organizations using VPN to easily start their journey towards SDP.
By deploying ZoneZero™, you can minimize the risk of your VPN being breached by:
Adding a second factor of authentication (e.g. one-time-password) as part of the ZoneZero solution instead of using VPN's gateway built-in 2FA, to ensure that attackers cannot access the network from the compromised VPN gateway.
Hiding the internal network from the VPN gateway, to prevent any lateral movement launched from the compromised VPN gateway. The Safe-T ZoneZero™ solution operates at the network layer with limited access granted based on user-specific policy.
Safe-T’s ZoneZero™ is the premier solution for IT system administrators looking for the advantages of an SDP while maintaining their existing VPN infrastructure. Implementing an SDP deployment on top of your existing VPN deployment creates a customized and scalable Zero Trust solution with all the granularity of SDP for a fully secured, flexible and scalable access solution.