Your VPN is not as Secure as You Think
—
min read
During the early stages of the pandemic, a client reached us asking about their VPN security. As security professionals, we always do our due diligence and shout “its not secure!!”. Is that what we say by default, as security professionals? While it’s true, some of us get a bit dramatic about it.
Working remotely is the new norm and the quickest security fix that companies use is the VPN services. Without the VPN, the employees will not be able to access company resources. While this is a good measure, like any security measures, it is not 100% secure. In fact, it can even give you a false sense of security.
After following the scope discussions, NDA, and other requirements, we took on the assignment to test the client’s VPN security. The client was using Fortinet SSL VPN v6.0.2, which is from Fortigate, is recognized globally, so you think it must be secure right?
Threat Model
Being intimidated, we strategized our approach and decided to test VPN like any web-application. To start with, we conducted a passive recon, checked on open-source vulnerability databases, such as the CVE and the Fortigate website for any publicly known vulnerabilities. Then, created a threat model using STRIDE framework and assigned all the attack methods and potential vulnerabilities in each component of STRIDE, such as Spoofing, Tampering, Repudiation, Information Disclosure, Elevation of Privilege. Refer the Threat Model image.
Following the threat model, we conducted the VAPT on Fortinet’s SSL VPN. This was our first VAPT on a Fortigate product, so we were excited to see what we could find.
After testing, we found three vulnerabilities with a risk score higher than 7.5, which was under high or critical. We also found other medium vulnerabilities, such as cross-site scripting, untrusted SSL certificate, etc. But the essence of our testing was the high and critical vulnerabilities.
Vulnerability: Open Sesame (CVE-2018-13379)
Fortinet VPN v6.0.2 has a directory traversal path vulnerability. This vulnerability enabled to view the User-ID, Password, access level and the IP addresses of active VPN users at that time of attack. It is like saying “Open Sesame” to get all the users’ login credentials. Refer to the image.
Vulnerability: Abraca-dabra (CVE-2018-13382)
Another vulnerability in this version of Fortinet is that it has a magic keyword to change the password for any users. It is an Improper Authorization vulnerability that allows an attacker to change the password of a user with crafted HTTP requests. By using an exploit script (github weblink https://github.com/milo2012/CVE-2018-13382), we can instantly change one of the logged-in users password .Refer to the image.
Vulnerability: Terminator (CVE-2018-13379 and CVE-2018-13382)
By chaining the last two CVE vulnerabilities, you can get a shell access to the network device. The process includes crashing the system, so be very cautious when you attempt this. When we tried this a few times, we ended up crashing it but without shell. Then decided not to go further with it because we didn’t want to push the system way further and cause any damages to our client network. Since we were able to crash it, we are certain that this flaw existed on their Fortigate version. Credit to Orange Tsai for the vulnerability exploit.
Well, there you have it. Fortigate SSL VPNv6 is not as secure as our client thought it is. Fortunately, Fortigate has released patches to make up for these flaws. Remember to always keep your devices updated and get an external party to test your systems, preferably our Netcon professionals. But, in general, VPN services are a good measure to secure your perimeter. However, considering the pandemic induced remote workforce, we should not rely on it too much and prevail with a false sense of security.
BLOGS
Data Center
Mastering Data Center Management with Expert Consulting
Aug 14, 2024
—
13 min read
Data Center
Engaging with Data Center Consultants for Optimal Solutions
Aug 14, 2024
—
12 min read
Data Center
Introduction to Data Center Certifications: An Overview
Aug 14, 2024
—
14 min read
Data Center
Mastering Data Center Operations with Advanced Certifications
Aug 14, 2024
—
12 min read
Ready to take your company to the next level?
Unlock your business potential with us
Ready to take your company to the next level?
Unlock your business potential with us
Ready to take your company to the next level?
Unlock your business potential with us
Ready to take your company to the next level?
Unlock your business potential with us
© Copyright 2024 Netcon Technologies. All rights reserved. All logos and trademarks used belong to their respective owners.
© Copyright 2024 Netcon Technologies. All rights reserved. All logos and trademarks used belong to their respective owners.
© Copyright 2024 Netcon Technologies. All rights reserved. All logos and trademarks used belong to their respective owners.
© Copyright 2024 Netcon Technologies. All rights reserved. All logos and trademarks used belong to their respective owners.
Ready to take your company to the next level?
Unlock your business potential with us
© Copyright 2024 Netcon Technologies. All rights reserved. All logos and trademarks used belong to their respective owners.
BLOG
Your VPN is not as Secure as You Think
BY
—
4
min read
During the early stages of the pandemic, a client reached us asking about their VPN security. As security professionals, we always do our due diligence and shout “its not secure!!”. Is that what we say by default, as security professionals? While it’s true, some of us get a bit dramatic about it.
Working remotely is the new norm and the quickest security fix that companies use is the VPN services. Without the VPN, the employees will not be able to access company resources. While this is a good measure, like any security measures, it is not 100% secure. In fact, it can even give you a false sense of security.
After following the scope discussions, NDA, and other requirements, we took on the assignment to test the client’s VPN security. The client was using Fortinet SSL VPN v6.0.2, which is from Fortigate, is recognized globally, so you think it must be secure right?
Threat Model
Being intimidated, we strategized our approach and decided to test VPN like any web-application. To start with, we conducted a passive recon, checked on open-source vulnerability databases, such as the CVE and the Fortigate website for any publicly known vulnerabilities. Then, created a threat model using STRIDE framework and assigned all the attack methods and potential vulnerabilities in each component of STRIDE, such as Spoofing, Tampering, Repudiation, Information Disclosure, Elevation of Privilege. Refer the Threat Model image.
Following the threat model, we conducted the VAPT on Fortinet’s SSL VPN. This was our first VAPT on a Fortigate product, so we were excited to see what we could find.
After testing, we found three vulnerabilities with a risk score higher than 7.5, which was under high or critical. We also found other medium vulnerabilities, such as cross-site scripting, untrusted SSL certificate, etc. But the essence of our testing was the high and critical vulnerabilities.
Vulnerability: Open Sesame (CVE-2018-13379)
Fortinet VPN v6.0.2 has a directory traversal path vulnerability. This vulnerability enabled to view the User-ID, Password, access level and the IP addresses of active VPN users at that time of attack. It is like saying “Open Sesame” to get all the users’ login credentials. Refer to the image.
Vulnerability: Abraca-dabra (CVE-2018-13382)
Another vulnerability in this version of Fortinet is that it has a magic keyword to change the password for any users. It is an Improper Authorization vulnerability that allows an attacker to change the password of a user with crafted HTTP requests. By using an exploit script (github weblink https://github.com/milo2012/CVE-2018-13382), we can instantly change one of the logged-in users password .Refer to the image.
Vulnerability: Terminator (CVE-2018-13379 and CVE-2018-13382)
By chaining the last two CVE vulnerabilities, you can get a shell access to the network device. The process includes crashing the system, so be very cautious when you attempt this. When we tried this a few times, we ended up crashing it but without shell. Then decided not to go further with it because we didn’t want to push the system way further and cause any damages to our client network. Since we were able to crash it, we are certain that this flaw existed on their Fortigate version. Credit to Orange Tsai for the vulnerability exploit.
Well, there you have it. Fortigate SSL VPNv6 is not as secure as our client thought it is. Fortunately, Fortigate has released patches to make up for these flaws. Remember to always keep your devices updated and get an external party to test your systems, preferably our Netcon professionals. But, in general, VPN services are a good measure to secure your perimeter. However, considering the pandemic induced remote workforce, we should not rely on it too much and prevail with a false sense of security.
Read these next
Data Center
Mastering Data Center Management with Expert Consulting
By leveraging the knowledge and experience of seasoned professionals, organizations can transform their data centers from cost centers into strategic assets that drive business growth.
Read now ➝
Data Center
Engaging with Data Center Consultants for Optimal Solutions
From improving energy efficiency and reducing operating costs to enhancing security and planning for future growth, the right consultant can unlock opportunities that drive business value.
Read now ➝
Data Center
Introduction to Data Center Certifications: An Overview
For both data center professionals and the facilities they manage, the lack of industry-recognized certifications can cause a chain reaction of problems. We solve the pain in this blog.
Read now ➝
© Copyright 2024 Netcon Technologies. All rights reserved. All logos and trademarks used belong to their respective owners.
© Copyright 2024 Netcon Technologies. All rights reserved. All logos and trademarks used belong to their respective owners.