New Vulnerabilities Continue To Haunt Legacy VPN Customers

It’s time to retire legacy solutions and move to a Zero Trust approach

Summary

• VPN based exploits have become a popular choice of attackers since the beginning of the pandemic and new vulnerabilities are adding to the chaos
• Latest identified Zero-Day vulnerability, combined with previous existing vulnerabilities being exploited by threat actors – CVE-2021-22893 
• There is no immediate patch available, expected in early May. However, some workarounds are prescribed by Pulse secure. The vulnerability has been assigned a CVSSv3 score of 10.0 i.e. Critical
• Is it time to retire the legacy VPN solutions? Gartner has released 2021 Strategic Roadmap for SASE Convergence  in late March 2021, wherein for short term, Gartner recommends deploying based solutions either to augment or replace legacy VPN service. Thus, It’s better to enhance security of remote workers and applications with the adoption of “Zero Trust” than trusting the legacy and “soon-to-retire” technologies

Background

SSL VPNs were once a dependable alternative to provide secure access to applications for remote users. It was a fallback option, not a primary mode of connectivity. Since the pandemic, organizations adopted VPNs as a mainstream connectivity solution, resulting to be juicy targets for threat actors. Help AG published a calendar of SSL VPN led attacks, vulnerabilities, severe alerts, and breaches in 2020, and the story continues to haunt customers in 2021.

20^th April 2021, Ivanti owned Pulse Secure published an out-of-cycle security advisory (SA44784) regarding a zero-day vulnerability in the Pulse Connect Secure SSL VPN appliance – CVE-2021-22893: A vulnerability in Pulse Connect Secure that allows a remote unauthenticated attacker to execute arbitrary code via unspecified vectors. In addition to the advisory, Pulse Secure also published a blog post detailing observed exploit behavior related to this zero-day and others linked to previously disclosed vulnerabilities in its Pulse Connect Secure solution.

Analysis and Impact

Multiple analysts have posted their initial assessment of this vulnerability and impacts. Few things to note:

• CVE-2021-22893 is a critical authentication bypass vulnerability in Pulse Connect Secure. While no specific details about the flaw are available yet, it is likely that a remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted HTTP request to a vulnerable device. Successful exploitation of this vulnerability would grant an attacker the ability to execute arbitrary code on the Pulse Connect Secure Gateway.
• Pulse Secure Blog confirms that there are 3 other vulnerabilities apart from the new identified one, that is exploited in combination by threat actors –  Security Advisory SA44101 (CVE-2019-11510), Security Advisory SA44588 (CVE-2020-8243) and Security Advisory SA44601 (CVE-2020-8260).
• A joint investigation by Pulse Secure and Mandiant confirms in a blog post that related techniques for bypassing single and multifactor authentication on Pulse Secure VPN devices, persistent across all upgrades, and maintaining access through web shells are used to exploit.

• Pulse Secure’s parent company, Ivanti, released mitigations for a vulnerability exploited in relation to these malware families and the Pulse Connect Secure Integrity Tool for their customers to determine if their systems are impacted. A final patch to address the vulnerability will be available in early May 2021.
• It is suspected that Chinese state actors have been using this CVE in Pulse Secure VPN to facilitate intrusions across dozens of organizations, including government agencies, financial entities, and defense companies in the United States and abroad. The actual impact is yet to be confirmed.

How Zero Trust network access solutions with Help AG can help

Zero Trust network access solutions provide a secure and scalable solution to access private applications from anywhere. As the solution is not hardware-based, this can be deployed to secure applications in any private data center or any public clouds like AWS, Azure, GCP, etc. Few key functionalities are:

• Organizations can protect data and resources with application-level access control based on user identity and device security posture.
• With Software define Perimeter (SDP) architecture, ZTNA solutions don’t require In-bound access from the internet to application i.e. no firewall policy which allows connection inside the data center to connect with applications. This inherently makes the applications unavailable to the public internet, thus, make them much more secure.
•  Application-based access ensures that there is no lateral movement possible.

Gartner has released 2021 Strategic Roadmap for SASE Convergence wherein short term, Gartner recommends deploying based solutions either to augment or replace legacy VPN service. Thus, it’s better to move to a Zero Trust-based solution and move fast.

At Help AG, we have developed Cyber Edge X, a SASE based solution, which in combination with functionalities like Secure Web Gateway, CASB, DLP, provides a Zero Trust Network Access solution named – Help AG Secure Private Access. The solution is hosted locally within Etisalat Data Centers providing all benefits of ZTNA, with the least latency and compliance to local data residency regulations.

Want to know more?

Reach out to Help AG experts and we can help you in defining your Zero Trust and SASE Roadmap.