Homeland Security Warns of VPN Security Bug

Securing the perimeter has been a military fortification practice hearkening back to the days of Hadrian’s Wall. But like its famed two-thousand-year-old counterpart, the tech-inspired equivalent might soon be as passé as the original Roman edifice.

Become a Subscriber

Please purchase a subscription to continue reading this article.

Subscribe Now

In a recent alert posted by Homeland Security, it warned enterprise businesses that VPN apps from Cisco, F5 Networks, Palo Alto Networks and Pulse Secure contain a security flaw. More specifically, these apps improperly stored authentication tokens and session cookies without encryption on a user’s desktop allowing hackers to exploit the weakness.

Used to create a secure channel with another network over the internet, VPNs are an important tool for businesses. Virtual proxy networks are often used so that employees can remotely access their company’s internal networks while working offsite, for example.

“If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods,” Carnegie Mellon University shared in their own statement, as part of their CERT (Computer Emergency Response Team) responsibilities. “An attacker would then have access to the same applications that the user does through their VPN session.”

As part of their function, VPN apps generate tokens from a worker’s password. This is subsequently stored on their computer so they can log back into their account without having to type their password every time. While convenient, these tokens can be stolen if they are not properly protected and used to access a company’s network via the employee’s account.

To date, Palo Alto Network has issued a patch for this vulnerability with GlobalProtect version 4.1.1. Pulse Secure Connect Secure has updated their app with the latest Pulse Desktop Client and Network Connect product. F5 fixed their own insecure log storage problem with version 13.1.0.

While this may solve today’s security breach, it may only be a band-aid solution. According to Dan Tuchler, CMO of SecurityFirst, the concept of a company’s network existing as an electronic Shangri-La where only those deemed worthy gain access is largely a thing of the past. “These are enterprise-grade VPNS from leading vendors, used to ensure that only legitimate users can access corporate assets, and they can be compromised.”

“This is further evidence that the notion of a secure perimeter is obsolete, and a zero-trust model must be used,” Tuchler cautioned in an email statement. “Once the intruder is within the company’s network and begins to probe for valuable assets, it is imperative to protect the data – by encrypting it, enforcing access policies, and reporting any violations. The idea of a secure perimeter wall around the network is now an aging fairy tale.”

With the growing interest in cloud-based applications and the advent of IoT, the amount of information being electronically-transmitted is likely to increase exponentially. Securing that data is already a complex challenge for the IT industry and only tomorrow will tell if they will be able to keep pace with cyber-hackers intent on finding that one chink in their network armor.