cybersecurity

cybersecurity

Your VPN is not as Secure as You Think

Your VPN is not as Secure as You Think

Netcon logo
Netcon logo
cybersecurity

Your VPN is not as Secure as You Think

Nov 29, 2023

4

min read

vpn
vpn
vpn

During the early stages of the pandemic, a client reached us asking about their VPN security. As security professionals, we always do our due diligence and shout “its not secure!!”. Is that what we say by default, as security professionals? While it’s true, some of us get a bit dramatic about it.

Working remotely is the new norm and the quickest security fix that companies use is the VPN services. Without the VPN, the employees will not be able to access company resources. While this is a good measure, like any security measures, it is not 100% secure. In fact, it can even give you a false sense of security.

After following the scope discussions, NDA, and other requirements, we took on the assignment to test the client’s VPN security. The client was using Fortinet SSL VPN v6.0.2, which is from Fortigate, is recognized globally, so you think it must be secure right?

Threat Model

Being intimidated, we strategized our approach and decided to test VPN like any web-application. To start with, we conducted a passive recon, checked on open-source vulnerability databases, such as the CVE and the Fortigate website for any publicly known vulnerabilities. Then, created a threat model using STRIDE framework and assigned all the attack methods and potential vulnerabilities in each component of STRIDE, such as Spoofing, Tampering, Repudiation, Information Disclosure, Elevation of Privilege. Refer the Threat Model image.

Following the threat model, we conducted the VAPT on Fortinet’s SSL VPN. This was our first VAPT on a Fortigate product, so we were excited to see what we could find.

After testing, we found three vulnerabilities with a risk score higher than 7.5, which was under high or critical. We also found other medium vulnerabilities, such as cross-site scripting, untrusted SSL certificate, etc. But the essence of our testing was the high and critical vulnerabilities.

Vulnerability: Open Sesame (CVE-2018-13379)

Fortinet VPN v6.0.2 has a directory traversal path vulnerability. This vulnerability enabled to view the User-ID, Password, access level and the IP addresses of active VPN users at that time of attack. It is like saying “Open Sesame” to get all the users’ login credentials. Refer to the image.

Vulnerability: Abraca-dabra (CVE-2018-13382)

Another vulnerability in this version of Fortinet is that it has a magic keyword to change the password for any users. It is an Improper Authorization vulnerability that allows an attacker to change the password of a user with crafted HTTP requests. By using an exploit script (github weblink https://github.com/milo2012/CVE-2018-13382), we can instantly change one of the logged-in users password .Refer to the image.

Vulnerability: Terminator (CVE-2018-13379 and CVE-2018-13382)

By chaining the last two CVE vulnerabilities, you can get a shell access to the network device. The process includes crashing the system, so be very cautious when you attempt this. When we tried this a few times, we ended up crashing it but without shell. Then decided not to go further with it because we didn’t want to push the system way further and cause any damages to our client network. Since we were able to crash it, we are certain that this flaw existed on their Fortigate version. Credit to Orange Tsai for the vulnerability exploit.

Well, there you have it. Fortigate SSL VPNv6 is not as secure as our client thought it is. Fortunately, Fortigate has released patches to make up for these flaws. Remember to always keep your devices updated and get an external party to test your systems, preferably our Netcon professionals. But, in general, VPN services are a good measure to secure your perimeter. However, considering the pandemic induced remote workforce, we should not rely on it too much and prevail with a false sense of security.

Share artilce:

linkedin
twitter

BLOGS

cloud

Implementing Effective Cloud Security Strategies

Jun 20, 2024

12 min read

cloud

Mastering Cloud Security for Business Excellence

Jun 20, 2024

14 min read

general

Planning and Implementing Network Admission Control in Your Enterprise

Jun 20, 2024

14 min read

general

Mastering Network Admission Control for Optimal Network Security

Jun 20, 2024

13 min read

Ready to take your company to the next level?

Unlock your business potential with us

Ready to take your company to the next level?

Unlock your business potential with us

Ready to take your company to the next level?

Unlock your business potential with us

Ready to take your company to the next level?

Unlock your business potential with us

Netcon Footer Logo

Engage

Pay as you go

Others

IPs & Accelerators

Contact

Email : info@netcon.in

Phone : +91 99524 00291

Social

linkedin
linkedin

Foward

Together.

Enter the fold
Subscribe to our newsletter

© Copyright 2024 Netcon Technologies. All rights reserved. All logos and trademarks used belong to their respective owners.

Netcon Footer Logo

Engage

Pay as you go

Others

IPs & Accelerators

Contact

Email : info@netcon.in

Phone : +91 99524 00291

Social

linkedin
linkedin

Foward

Together.

Enter the fold
Subscribe to our newsletter

© Copyright 2024 Netcon Technologies. All rights reserved. All logos and trademarks used belong to their respective owners.

Netcon Footer Logo

Engage

Pay as you go

Others

IPs & Accelerators

Contact

Email : info@netcon.in

Phone : +91 99524 00291

Social

linkedin
linkedin

Foward

Together.

Enter the fold
Subscribe to our newsletter

© Copyright 2024 Netcon Technologies. All rights reserved. All logos and trademarks used belong to their respective owners.

Netcon Footer Logo

Engage

Pay as you go

Others

IPs & Accelerators

Contact

Email : info@netcon.in

Phone : +91 99524 00291

Social

linkedin
linkedin

Foward

Together.

Enter the fold
Subscribe to our newsletter

© Copyright 2024 Netcon Technologies. All rights reserved. All logos and trademarks used belong to their respective owners.

Ready to take your company to the next level?

Unlock your business potential with us

Netcon Footer Logo

Engage

Pay as you go

Others

IPs & Accelerators

Contact

Email : info@netcon.in

Phone : +91 99524 00291

Social

linkedin
linkedin

Foward

Together.

Enter the fold
Subscribe to our newsletter

© Copyright 2024 Netcon Technologies. All rights reserved. All logos and trademarks used belong to their respective owners.

Netcon Logo
Netcon Logo

BLOG

cybersecurity

Your VPN is not as Secure as You Think

BY

Nov 29, 2023

4

min read

vpn
vpn

During the early stages of the pandemic, a client reached us asking about their VPN security. As security professionals, we always do our due diligence and shout “its not secure!!”. Is that what we say by default, as security professionals? While it’s true, some of us get a bit dramatic about it.

Working remotely is the new norm and the quickest security fix that companies use is the VPN services. Without the VPN, the employees will not be able to access company resources. While this is a good measure, like any security measures, it is not 100% secure. In fact, it can even give you a false sense of security.

After following the scope discussions, NDA, and other requirements, we took on the assignment to test the client’s VPN security. The client was using Fortinet SSL VPN v6.0.2, which is from Fortigate, is recognized globally, so you think it must be secure right?

Threat Model

Being intimidated, we strategized our approach and decided to test VPN like any web-application. To start with, we conducted a passive recon, checked on open-source vulnerability databases, such as the CVE and the Fortigate website for any publicly known vulnerabilities. Then, created a threat model using STRIDE framework and assigned all the attack methods and potential vulnerabilities in each component of STRIDE, such as Spoofing, Tampering, Repudiation, Information Disclosure, Elevation of Privilege. Refer the Threat Model image.

Following the threat model, we conducted the VAPT on Fortinet’s SSL VPN. This was our first VAPT on a Fortigate product, so we were excited to see what we could find.

After testing, we found three vulnerabilities with a risk score higher than 7.5, which was under high or critical. We also found other medium vulnerabilities, such as cross-site scripting, untrusted SSL certificate, etc. But the essence of our testing was the high and critical vulnerabilities.

Vulnerability: Open Sesame (CVE-2018-13379)

Fortinet VPN v6.0.2 has a directory traversal path vulnerability. This vulnerability enabled to view the User-ID, Password, access level and the IP addresses of active VPN users at that time of attack. It is like saying “Open Sesame” to get all the users’ login credentials. Refer to the image.

Vulnerability: Abraca-dabra (CVE-2018-13382)

Another vulnerability in this version of Fortinet is that it has a magic keyword to change the password for any users. It is an Improper Authorization vulnerability that allows an attacker to change the password of a user with crafted HTTP requests. By using an exploit script (github weblink https://github.com/milo2012/CVE-2018-13382), we can instantly change one of the logged-in users password .Refer to the image.

Vulnerability: Terminator (CVE-2018-13379 and CVE-2018-13382)

By chaining the last two CVE vulnerabilities, you can get a shell access to the network device. The process includes crashing the system, so be very cautious when you attempt this. When we tried this a few times, we ended up crashing it but without shell. Then decided not to go further with it because we didn’t want to push the system way further and cause any damages to our client network. Since we were able to crash it, we are certain that this flaw existed on their Fortigate version. Credit to Orange Tsai for the vulnerability exploit.

Well, there you have it. Fortigate SSL VPNv6 is not as secure as our client thought it is. Fortunately, Fortigate has released patches to make up for these flaws. Remember to always keep your devices updated and get an external party to test your systems, preferably our Netcon professionals. But, in general, VPN services are a good measure to secure your perimeter. However, considering the pandemic induced remote workforce, we should not rely on it too much and prevail with a false sense of security.

Linkedin

Written by

Share artilce:

linkedin
linkedin
twitter
twitter

Partner with us

Unlock your business potential with our committed team driving your success.

netcon logo

Contact

Email : info@netcon.in

Phone : +91 99524 00291

Social

linkedin
linkedin

Others

IPs & Accelerators

Foward

Together.

Forward together means questioning the status quo. Disrupt. Innovate. Break it, then build it better. We're not passengers; we're the engineers of tomorrow's tech landscape.

Forward together means embracing the collective. Relationships power our servers and drive our solutions. Your wins are our wins, your challenges beckon our brilliance. Collaboration isn't a method; it's our lifeforce.

Forward together, we carry the mantle of sustainability. We don't just occupy space on this Earth; we vow to leave it better. Eco-ethical codes aren't buzzwords; they're in our codebase.

Strive, but never alone. Reach, but always in tandem. At the crossroads of passion and profession, you'll find balance. You'll find life.

When the trek gets tough, lean on the fortitude of the collective. Seek inspiration in our shared purpose, find courage in our unified resolve.

You're no mere employee; you're the next chapter in a storied lineage. You are Netcon. You are the manifesto. So, carry these words. Let them guide, let them ignite.

Forward Together. Welcome to the vanguard of change. Your mission begins now. Welcome to Netcon.

Enter the fold
Subscribe to our newsletter

© Copyright 2024 Netcon Technologies. All rights reserved. All logos and trademarks used belong to their respective owners.

netcon logo

Contact

Email : info@netcon.in

Phone : +91 99524 00291

Social

linkedin
linkedin

Others

IPs & Accelerators

Foward

Together.

Forward together means questioning the status quo. Disrupt. Innovate. Break it, then build it better. We're not passengers; we're the engineers of tomorrow's tech landscape.

Forward together means embracing the collective. Relationships power our servers and drive our solutions. Your wins are our wins, your challenges beckon our brilliance. Collaboration isn't a method; it's our lifeforce.

Forward together, we carry the mantle of sustainability. We don't just occupy space on this Earth; we vow to leave it better. Eco-ethical codes aren't buzzwords; they're in our codebase.

Strive, but never alone. Reach, but always in tandem. At the crossroads of passion and profession, you'll find balance. You'll find life.

When the trek gets tough, lean on the fortitude of the collective. Seek inspiration in our shared purpose, find courage in our unified resolve.

You're no mere employee; you're the next chapter in a storied lineage. You are Netcon. You are the manifesto. So, carry these words. Let them guide, let them ignite.

Forward Together. Welcome to the vanguard of change. Your mission begins now. Welcome to Netcon.

Enter the fold
Subscribe to our newsletter

© Copyright 2024 Netcon Technologies. All rights reserved. All logos and trademarks used belong to their respective owners.