D_041819_DHSConklinBlog_1500x679
Rick Conklin

Reflections on the US DHS CISA Notification of Vulnerability in Four VPN Applications

The CERT Coordination Center (CERT/CC) for the US Department of Homeland Security (DHS) AZ released information on a vulnerability affecting multiple Virtual Private Network (VPN) applications. “An attacker could exploit this vulnerability to take control of an affected system,” the notice stated.

The Cybersecurity and Infrastructure Security Agency (CISA) encouraged users and administrators to review Vulnerability Note VU#192371 and to contact their VPN vendors for more information.

The Concern

Multiple Virtual Private Network (VPN) applications store the authentication and/or session cookies insecurely in memory and/or log file, based on the CERT/CC analysis as part of the set up of what is supposed to be a secure connection with another network over the public Internet.

“Multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files,” the notice states, then goes on to detail including a list of over 200 VPN software and technology vendors including specific agents and clients from highly trusted companies also writing that “It is likely that this configuration is generic to additional VPN applications.”

The notification summarizes the potential impact this way: “If an attacker has persistent access to a VPN user's endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.”

The ramifications of this vulnerability being left unaddressed, of course, present serious risks to government agencies, enterprises, businesses and other organizations who rely on legacy VPN vs. newer technologies such as Software Defined Networking (SDN) to share mission critical data on private networks.

It is important for CISOs and other IT professionals (and the teams responsible for network and data security compliance) to note that these vulnerabilities aren't covered by the basic encryption engines at work in VPNs, but rather persist in the way a particular session has been authenticated, and how data is stored and protected – or left unprotected.

Naturally, the vendors are working as quickly as possible on patches, but this may be a shot across the bow to IT decision makers about how they should be thinking about the post-VPN world, including moving to SDN which extends to every endpoint on every network.

VPNs are ideal targets for attackers, even as the attack surface given the explosion of digital applications continues to grow. Vulnerable to attacks and malware, cyber adversaries know VPNs are exactly what organizations use to share sensitive information. Those adversaries can take advantage of these weaknesses to access, steal, and even control VPNs.

Hackers connecting over the VPN can also steal expensive network resources, as if they had physical access to those resources.

The Solution

Software-defined perimeter (SDP) systems, like those we provide at Dispersive, offer the possibility of security well beyond the limitations of both VPNs and SD-WANs. Going forward, we believe SDNs with solid SDP capabilities are aligned with efforts by the Office of the Federal CIO associated with the Trusted Internet Connection (TIC) framework.

Even as the US Federal Government continues to support organizations with notifications like this week’s important publication, the government itself is focused on ensuring communications and data networks which serve citizens are as solid as networks can get.

They, like other innovators and disrupters are wisely investing in not only warning about legacy technology, but in supporting the next level of secure IP networking, including communications that run over the most resilient network in the world started by DARPA decades ago – the public Internet hardened by advanced technologies, algorithms, encryption methodologies and average-case-intractable network security applications.

The CERT/CC is offering assistance at cert@cert.org with the affected products, version numbers, patch information, and self-assigned CVE being maintained in a database.

To learn more about how Dispersive Networks has been pioneering in this space, please contact us here.