VPN security flaws could open up your network to attacks

News
By published

Attackers could exploit vulnerabilities to access corporate networks

vpn security
Image credit: Shutterstock (Image credit: Shutterstock)

New security flaws discovered in three popular corporate VPN tools by researchers at Devcore could allow attackers to steal confidential information directly from companies' networks.

The firm's Orange Tsai and Meh Chang first discovered the security flaws which affect corporate VPNs from Palo Alto Networks, Fortinet and Pulse Secure.

While consumers utilize VPNs to bypass region blocks and to protect their privacy online, business users often use the services to access resources on their organization's corporate network while working remotely. Typically companies provide their staff with a corporate username and password along with a two-factor authentication code to access their networks using a VPN.

However, according to Chang and Tsai, the flaws they discovered could allow an attacker to gain access to a company's network without the need for a username or password.

SSL VPNs

By using an SSL VPN business users have a convenient way to connect to corporate networks while out of the office but they also provide hackers with an easy way to infiltrate a company's intranet according to Tsai who explained how they can be misused further in a blog post, saying:

“SSL VPNs protect corporate assets from Internet exposure, but what if SSL VPNs themselves are vulnerable? They’re exposed to the Internet, trusted to reliably guard the only way to your intranet. Once the SSL VPN server is compromised, attackers can infiltrate your Intranet and even take over all users connecting to the SSL VPN server!”

The researchers offered further insight on the format string flaw which affects Palo Alto's GlobalProtect portal and GlobalProtect Gateway products in their post. The remote code execution flaw (indexed as CVE-2019-1579) exists in the PAN SSL Gateway and could enable unauthenticated threat actors to remotely execute arbitrary code on target systems if exploited.

Only older versions of the software are affected by the vulnerability but Devcore found that many businesses, including Uber, are still using the outdated software. For example, the researchers found that 22 of Uber's servers were still using a vulnerable version of GlobalProtect.

Palo Alto Networks has alerted its customers regarding the issue in an advisory in which it urged them to update their software to the latest version while Fortinet has updated its firmware to address the vulnerability. Pulse Secure on the other hand, released a patch in April to address the issue.

Via Computing

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in VPN Privacy & Security
A computer file surrounded by red laser beams
Cover your tracks: the risk of sending unencrypted files
Using an Amazon Fire Stick on a Smart TV
How to use a VPN with Fire Stick
Close up of PS5 DualSense controller leaning on a PS5
5 reasons your PS5 needs a VPN
Tor
What is Onion over VPN?
In this photo illustration a Google Play logo seen displayed on a smartphone.
Why is there so much spyware hidden in the Play Store?
PrivadoVPN running on an iPhone during TechRadar's VPN tests
Why PrivadoVPN Free is still the best free VPN for streaming
Latest in News
Panos Panay and Alexa Plus
Amazon's Panos Panay teases future Alexa+ devices from speakers to possible wearables
Metroid Prime 4
I reckon the Nintendo Switch 2 could launch with Metroid Prime 4 – here’s why
Samsung Galaxy Z Fold 6
New rumors predict a foldable iPhone will launch next year – and cost almost twice as much as the iPhone 16 Pro Max
Pebble smartwatch countdown
Pebble confirms its smartwatch announcement is just hours away
Logo of YouTube Shorts
Is YouTube auto-playing Shorts when you open the app? Well, you’re not alone - here’s how to fix it
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments
More about vpn privacy security
A computer file surrounded by red laser beams

Cover your tracks: the risk of sending unencrypted files
Using an Amazon Fire Stick on a Smart TV

How to use a VPN with Fire Stick
ViewSonic VP2788-5K Display

Viewsonic's 5K monitor finally goes on sale, but is it already too little too late to make a splash?

See more latest
Most Popular
ViewSonic VP2788-5K Display
Viewsonic's 5K monitor finally goes on sale, but is it already too little too late to make a splash?
Panos Panay and Alexa Plus
Amazon's Panos Panay teases future Alexa+ devices from speakers to possible wearables
Samsung Galaxy Z Fold 6
New rumors predict a foldable iPhone will launch next year – and cost almost twice as much as the iPhone 16 Pro Max
Maxtang SXRL-20 mini pc
This fanless PC looks like a giant heatsink and has one incredible feature: five, yes five, 4K-capable HDMI ports
Aoostar G-flip 370
There's no need for a monitor with this Ryzen AI-powered mini PC
The Ryzen AI Max+ 395 could power the latest generation of powerful mini PCs
This prototype mini PC demonstrates a massive leap forward for integrated graphics in a console form factor
Metroid Prime 4
I reckon the Nintendo Switch 2 could launch with Metroid Prime 4 – here’s why
Minisforum AI X1 mini PC
Tiny Mac Mini rival can power four 8K monitors, and is the first mini PC to receive AMD's powerful Ryzen 7 260 APU
AOOSTAR G-FLIP mini PC
AMD powers the world's fastest all-in-one PC, and yes, I've probably overstretched the definition of AIO PC just a tiny bit
26TB WD Red Pro HDD
Western Digital introduces 26TB WD Red Pro HDDs for RAID and NAS systems at a surprisingly low price