contact us

DHS Warnings Bring Light to Surging VPN Vulnerabilities

by May 6, 2020

DHS Warnings Bring Light to Surging VPN Vulnerabilities

Since the start of 2020, virtual private networks (VPNs) have spiked in usage by 33% due to the flood of people forced to work from home. With this increase in VPN usage also comes a wave of new research into VPN vulnerabilities. One vulnerability, CVE-2019-11510 (sodinokibi), is not only getting attention from the Department of Homeland Security (DHS) but also Iranian Cyber Espionage Groups (advanced persistent threats [APTs] 33, 34, and 39). This vulnerability, which affects Pulse Connect Secure, is being actively exploited in the wild by these APT groups.

However, Pulse is not the only VPN vendor who is being actively targeted by attackers. We extended our research to cover top vendors in the market affected by VPN-related Common Vulnerabilities and Exposures (CVEs) spanning the last 10 years.

Cisco and Pulse Secure are affected by 44 CVEs respectively, which is the highest CVE count among the top VPN providers. When considering the average Common Vulnerability Scoring System (CVSS), the insecurity of SonicWall products stands out, as the CVEs affecting their products have the highest average CVSS v2 base score among top VPN products at 8.2.

Of the 39 VPN products we analyzed over the past 10 years, 147 vulnerabilities were discovered, with 23 of them being weaponized. One noteworthy observation that did not make to headline news is Fortinet, which had the most weaponized vulnerabilities of any other VPN vendor in the market.

Out of 23 weaponized VPN vulnerabilities, Fortinet had nine weaponized vulnerabilities, seven of which were privilege escalation (PE) vulnerabilities and two were remote code execution (RCE) vulnerabilities. Of the top nine VPN vendors, six of these vendors (Cisco, Pulse Secure, Palo Alto, SonicWall, OpenVPN, and Fortinet) have at least one vulnerability in the last 10 years that has been weaponized. Further, of those six vendors, all but Palo Alto have had at least one weaponized vulnerability in 2017 or later. Palo Alto’s RCE vulnerability (CVE-2012-4043) corresponds to CWE 79 Cross-Site Scripting and OWASP Top 10’s A7 category. Additionally, from a Common Weakness Enumeration (CWE) perspective, CWE-200, CWE-264, and CWE-310 each appear three times across the 23 weaponized CVEs.

Among the 11 weaponized vulnerabilities affecting VPN software in the last three years, only one vulnerability was found to be both trending and an RCE-type vulnerability. The vulnerability, CVE-2019-11510, affects a product belonging to the Pulse Secure vendor.

Of the 147 vulnerabilities in the past 10 years covering 39 VPN products, 23 CVEs (roughly 16%) are weaponized. Of those, almost 75% (17 CVEs) allow RCE or PE, which are critical capabilities that attackers use to breach defenses. Astonishingly, 2019 had the highest number of weaponized VPN vulnerabilities coming in at eight CVEs. One of these CVEs from 2019 includes the weaponized and trending vulnerability, CVE-2019-11510.

RiskSense recommends organizations to check their networks for the presence of CVE-2019-11510 (sodinokibi). If found, remediate it as quickly as possible. Organizations utilizing VPN products, no matter the vendor, should pay special attention to those products’ vulnerability statuses. Attackers are targeting every VPN vendor searching for new vulnerabilities and exploits, so no one is inherently safe. Applying a risk-based approach to vulnerability prioritization is the fastest path to an improved security posture.

Trending VPN Ransomware

CVE Type/Ransomware Family/APT Group Vendor Product Internet Exposure
4/13/2020
CVE-2019-11510 RCE / Sodinokibi / Iranian Cyber Espionage Groups Pulse Secure Pulse Connect Secure 1310

Note: Internet Exposure is based on Shodan/Internet Storm analysis on the surge of these CVEs being searched or exposed.

RiskSense Careers

Looking for a new opportunity in the growing field of Cyber Risk Management?

View Now >