VPN Vulnerability Described as “DEFCON 1”

We recently published a blog post about the Russian hacker leaking of around 900 enterprise VPN passwords. How was this damaging “DEFCON 1” level attack possible and how can it be prevented?

The ZDNET article concluded with this:

"The publication of this list as a free download is a literal “DEFCON 1” danger level for any company that has failed to patch its Pulse Secure VPN over the past year, as some of the ransomware gangs active on this forum are very likely to use the list for future attacks."

How was this damaging “DEFCON 1” level attack possible and how can it be prevented?

How it happened relates to three core security flaws inherent in VPNs:

• Regularly occurring remotely exploitable vulnerabilities
• Open listening port(s) on the internet
• Username and password only

Let’s look closer at each of these issues and how they create unnecessary risk to your network.

First: A critical, exploitable vulnerability

The hack started with a known CVE, or Common Vulnerability and Exposure, that was published in April of 2019 classified as CVE-2019-11510.

This type of vulnerability is usually related to a flaw in the code or development of the software and is very common. Most enterprises have to unleash teams of people to find, uncover and patch these vulnerabilities on a regular basis. A great example is Microsoft’s “Patch Tuesday” where they release the latest batch of fixes for their software.

Unfortunately, the patches to fix some CVE’s often create new vulnerabilities that later need to be patched. And the cycle continues. It is the nature of software. No enterprise can patch all vulnerabilities, it’s a constant struggle and a near impossibility.

Not all CVEs are created equal.

CVE’s come in all different flavors. Some can’t be exploited, and some can. For this blog, I’ll focus only on CVE’s that have a matching known exploit. Some exploitable CVE’s are benign and some cause critical exposures and attack points for threat operators.

For simplicity, vulnerabilities fall into three categories:

• Worse: Vulnerabilities that can be exploited remotely
• Worse than worse: Remote exploits that don’t require ANY authentication
• Everything else

The Pulse Secure VPN vulnerability exploited by a Russian hacker falls into the “worst of the worst” bucket – from the NIST Description, “an unauthenticated remote attacker that can send a specially crafted URI to perform an arbitrary file reading vulnerability”.

Second: A listening port (that allows connections before authentication)

What made this CVE so much more dangerous is the classic VPN design (flaw) from 1996 that remains unchanged to this day: You have to connect to a VPN first and then authenticate. This exposes your VPN to the entire wild west of “interwebs.”

VPNs use TCP/IP protocol to connect first, authenticate second, making it possible to launch a remote attack without the need for credentials. This is what attackers dream about at night. It is a literal gold mine for those financially motivated or with malicious intent.

Threat operators and APT groups systematically scan and exploit this vulnerability. In the case of the Pulse Secure VPNs, they exploited the read-only rights to collect login details. Why the attacker posted them for free vs. monetizing the exploit is a blog for another day.

Third: Username and password only

That brings us to the final flaw and a shining example of why passwords are increasingly problematic. There is a big push among Zero Trust proponents to go passwordless, and I am all for it. But it will take time for this technology to become mainstream. In the meantime, we are left with username and passwords. Or are we? There is a concept called “trusted device,” which we will talk about later.

Password leakage brings back into focus the second point I illustrated – listening ports. Because of this open port on ALL VPNs, anyone can exploit it to try to connect and then actually authenticate with admin rights. If successful, a remote threat operator has full admin rights and the potential for damage is tremendous.

Referring back to the ZDNet article, I agree with their assessment that this weakness inherent in VPNs creates a “DEFCON 1” situation. Even if enterprises changed all passwords right away, the remote exploit is still under attack.

How this attack and exposure could have been prevented

It’s clear that VPNs aren’t fit for purpose in today’s threat environment. The solution is clear: Kill your VPN, and switch to a modern technology solution that eliminates VPN-created security risks. It’s called SDP (or Software-Defined Perimeter).

Remember VPNs first hit the market in 1996. The same year the first DVD was produced! Fast forward 23 years. Today, we would never design a system with an open port to allow a user to connect first, authenticate second. With SDP technology, the opposite is true – you authenticate before ever connecting to the network.

Let’s look at how Appgate SDP would have prevented exploitation of open ports and leaky passwords with some out of the box technology:

Single Packet Authentication (SPA)

The Department of Defense uses the term “Black Cloud,” which means everything on the network is completely invisible to attackers. Appgate SDP creates a “Black Cloud” with a sophisticated door-knocking technology called Single Packet Authentication (SPA). SPA makes the entire network architecture completely invisible externally.

SPA technology would have completely prevented a VPN-type attack from the start, regardless of ANY exploitable CVE’s that may exist.

Trusted Device + SPA

With SDP, only a trusted device that has undergone a deep posture check combined with the right SPA packet can even find the authenticating mechanism. I could type my username and password in this blog AND give you the URL of the SDP controller and a sophisticated hacker still wouldn’t be able to break in, much less authenticate. In fact, the Cloud Security Alliance Software-Defined Perimeter Working Group actually held a contest challenging anyone to try and hack a SDP system. With over 10 billion packets sent (attack attempts), no one was able to penetrate even the first layer of security. The prize remains unclaimed. Many of Appgate
Fortune 500 customers put their full red teams to work at breaking in and finding vulnerabilities – none were successful.

Let’s not kid ourselves; just because a vendor releases a patch doesn’t mean it’s easy to install. Sometimes the business won’t allow the patch due to potential down time that can impact the bottom line. This is evident in the fact that more than 9+ months after CVE-2019-11510 was issued, there are still hundreds of unpatched Pulse Secure VPNs exposed to the internet. It’s a certainty that APT groups and threat operators are systematically attacking these systems daily.

SDP is a modern technology built to combat today’s threats. Because it doesn’t advertise an open port in the first place, patching becomes less critical.

Learn how Appgate SDP prevents attacks with:

• SPA – Cloaked, no open ports, no systematic attacks
• SPA – Protected, no more remotely exploitable vulnerabilities
• Trusted Device + SPA – Secured, no more reliance on only username and password