Serious Security Flaw Discovered in Three Widely Used VPNs – Update Now!
Virtual Private Networks (“VPNs”) are a secure way for employees to access firm files remotely, whether working from a home office or while travelling. They work by creating an encrypted connection from a laptop or PC to a firm’s server and allowing users to securely access and transfer files while out of the office.
Access to a VPN is typically gained by entering credentials and verifying your identity with an additional step, usually a multi-digit code or authorization through a pre-configured app.
According to two security researchers, a serious flaw was “accidently” discovered recently, which could allow hackers access to firm networks without requiring any credentials at all. “We could compromise the VPN server and corporate intranet with no authentication required, compromise all the VPN clients, and steal all secrets from the victims.” Devcore researcher Orange Tsai told TechCrunch.
In effect, they could have unfettered access to all your firm’s information – that includes data that is personal, proprietary and confidential!
According to technology news site TheInquirer.net, three major VPN providers are affected:
- FortiGate’s FortiOS
Versions 5.6.3 to 5.6.7, 6.0.0 to 6.0.4
Note: This vulnerability is only present if SSL VPN (web- or tunnel-mode) is enabled.
FortiGate has released updates and provides more information about this vulnerability here.NIST has also released a Common Vulnerabilities and Exposures (“CVE”) specific to the FortiOS vulnerability. Info about CVE-2018-13379 can be found here. - Palo Alto Networks’ Global Protect Portal and GlobalProtect Gateway interfaces
GlobalProtect Portal/Gateway Interface (PAN-SA-2019-0020), PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier releases. PAN-OS 9.0 is not affected.
Palo Alto Networks has released updates and provides more information about this vulnerability here.NIST has also released a CVE specific to the Palo Alto vulnerability. Info about CVE-2019-1579 can be found here. - Pulse Secure
Pulse Connect Secure and Pulse Policy Secure products were affected. The company released patches in April 2019 to remedy this vulnerability. If you use either of these products ensure all updates have been installed, especially the patches released by the company in April. Pulse Secure security advisories can be found here.
If your firm allows employees to work remotely and uses VPN software to accomplish this, be sure to ask your IT vendor whether the products mentioned above are in use at your firm; if so, ensure they install the necessary updates immediately!
For more cybersecurity help, here are some helpful resources:
- Webinar – Getting Practical with Cyber, Part I: Testing & Validating Your Risk Controls
- Webinar – Getting Practical with Cyber, Part II – In the Driver’s Seat: Your Critical Role in Cyber Resiliency
- CSS Cybersecurity Solution – Shield
Ask us how we can help tailor a package to meet your needs. Fill out our form here and receive our free checklist for evaluating policies for cyber insurance coverage.