A large slice of the workforce has traded their daily commute for a short walk to their kitchen table or living room sofa. Prior to COVID-19, polls indicate that while >40% of U.S. workers had worked from home, only about 4% do so half-time or more. It’s hard to be certain, but there might be nearly 60% of U.S. workers now working from home between half and full-time.
This roughly 10-fold increase in work-from-home situations creates several new challenges for business and IT security. Several are related to the way in which these remote workers are connecting back to their business networks – through virtual private network (VPN) software and devices.
Using a VPN provides a remote worker with many security & privacy features of a worker physically at work. It allows the exchange of data between home and the business location to safely traverse public and un-trusted networks using encryption. This gives the remote worker the appearance of a dedicated private link – a concept often abstractly described as a tunnel, but more like tinted windows, where other public network users can see cars (packets), but not see into them (encrypted payload).
Several vendors’ offerings in the VPN market have been shown to have vulnerabilities which organizations have been slow to patch and in which attackers have shown increased interest:
-CVE-2019-11510 and CVE-2019-11539 are a couple of vulnerabilities in select versions of Pulse Secure’s Pulse Connect Secure (PCS) solution that provide remote users access via SSL VPN (click CVE links for details). Researchers have demonstrated how these two vulns can be chained together to achieve pre-auth remote code execution. Recent hacker discussions include comments that exploiting these vulns is “probably easier and more financially rewarding” then hitting a company with something like a denial-of-service attack.
-CVE-2019-1579 is a vulnerability in Palo Alto Networks (PAN) interface products GlobalProtect portal and GlobalProtect Gateway that run select versions of PAN-OS (click CVE link for details). Exploitation of this vuln allows an unauthenticated user to execute arbitrary code. This vuln was one of several successfully used by Iranian APT groups since its release – allowing the exploitation of unpatched systems and infiltration of several corporation’s IT infrastructure.
-CVE-2018-13379 and CVE-2018-13382 are vulnerabilities in select Fortinet FortiOS versions (click CVE links for details). When used together, they can achieve pre-auth remote code execution. Since early this year, multiple instances of mass scanning from malicious IPs have been detected where the object of the scans are vulnerable FortiOS versions.
Thousands of vulnerabilities are disclosed each year, but only a small fraction (~4%) are actually exploited. So, CYR3CON uses artificial intelligence and information mined from sources that include hacker discussions to rate vulnerabilities based on their likelihood of exploitation above baseline (i.e. the probability that the average vulnerability is exploited). Currently, we calculate our CyRating® (multiplication factor above baseline) for the vulns related to Pulse Secure and Palo Alto Networks to be greater than 30x above baseline and for the FortiOS vulns to be 20x.
Using these products un-patched makes you vulnerable and at increased risk in the current environment given the spike in attention these particular vulns have attracted from bad actors. You should prioritize them for mitigation, especially if you now have increased numbers of remote workers.