Researchers Find a Way to Compromise Corporate Networks Through Their VPN

• Two DEVCORE researchers will present how they managed to compromise corporate networks in two weeks.
• The researchers have already shared their findings with three VPN vendors who were found to be vulnerable.
• All firms responded by confirming the findings and sending notices sooner or later.

According to a TechCrunch report, DEVCORE researchers Orange Tsai and Meh Chang are about to present security flaws that plague three corporate VPN products on the upcoming Black Hat conference. The flaws allow an attacker to perform remote exploitation to the target systems, and the vendors that are affected by the revelations are Palo Alto Networks, Pulse Secure, and Fortinet. According to the researchers, there’s a way for someone to access a company’s corporate network without needing valid credentials for the VPN server, or any authentication for the intranet. From then on, one could compromise all VPN clients and steal corporate secrets en masse.

Corporate VPN solutions are supposed to provide a safe way for employees to access their company’s network remotely through an HTTPS (SSL) tunnel connection. As there aren’t a lot corporate VPN vendors out there, bugs in even a single platform can potentially affect thousands if not millions of companies. The researchers have found a format string flaw in the Palo Alto GlobalProtect VPN, used by Twitter, Uber, and more. Palo Alto responded by saying that the exploited bugs had already been found internally and pushed a silent fix shortly after the report. However, no notices to their clients were sent initially.

Forti admitted the flaw and explained that it could be exploited via a specially crafted HTTP resource request, allowing an unauthenticated user to download files from the VPN server. Similarly, Pulse Secure also acknowledged the findings of the researchers and notified its customers of the risks, releasing a fixing patch in April. After pressure built up, Palo Alto had to make the fix of the severe security flaw public, losing chunks of trust from its community in the meantime. All three firms have published mitigation advisories, so everyone is urged to follow the guidelines in order to keep their corporate networks safe.

Back in April, researchers from the National Defense ISAC community have discovered that multiple corporate VPN products contain flaws in the way that they store user data on local logs and server memory storage media. Back then, Palo Alto Networks and Pulse Secure were found to be vulnerable again, together with F5 Networks and Cisco. The DEVCORE researchers will present the vulnerabilities on August 7, and will also propose hardening methods that will mitigate the particular, as well as any other zero-day flaws that can impact corporate VPN tools.

Which corporate VPN provider do you trust? Let us know in the comments section beneath, and help us spread the news to more people out there by sharing this post through our socials, on Facebook and Twitter.