VPNs Continue to Be Bombarded by Vulnerabilities
Critical vulnerability alerts issued by large VPN vendors continue to fatigue network administrators. On Nov. 8, 2022, Citrix announced three critical vulnerabilities affecting Citrix Gateway (an SSL VPN service) and Citrix ADC (a load-balancing solution for cloud applications deployed in enterprises). These vulnerabilities include:
- CVE-2022-27510: An authentication bypassing vulnerability using an alternate path or channel that is exploitable only if the appliance is configured as a VPN. This issue is rated as a critical severity vulnerability.
- CVE-2022-27513: Insufficient data authenticity verification, allowing remote desktop takeover, with access granted through phishing. The flaw is exploitable only if the appliance is configured as a VPN and the Remote Desktop Protocol (RDP) proxy functionality is configured.
- CVE-2022-27516: The user login protection mechanism from brute force attacks is bypassed, making the account susceptible to brute force attacks. This vulnerability can only be exploited if the appliance is configured as a VPN or AAA virtual server with “Max Login Attempts” configured.
To mitigate these issues, Citrix recommends that customers install relevant updates as soon as possible to patch affected environments.
VPN’s Storied History of Vulnerabilities
VPN administrators are all too familiar with these types of vulnerabilities. In 2019, Citrix also announced that the Citrix Application Delivery Controller and Citrix Gateway possessed a vulnerability that potentially exposed the networks of over 80,000 firms to threat actors.
Vulnerabilities discussed in CVE-2019-19781 could allow remote attackers access to a company’s internal network without requiring authentication. When successfully exploited, it can lead to remote code execution at the will of the threat actors.
These types of vulnerabilities are not unique to any one VPN vendor. However, the core of these issues is traditional VPN technology in the age of complex and nuanced tactics, techniques, and procedures (TTPs) being leveraged by threat actors.
With VPN software living on the perimeter of the network, exposed to the threats of the Internet, hackers have an open invitation to an organization’s data and network resources. Any critical vulnerability to these products is immediately exploitable to anyone with an Internet connection. This broad attack surface dramatically increases the risk of potential attack.
The BlackBerry Incident Response (IR) team notes that threat actors typically do not leverage only a single exploit. Instead, they may use a myriad of techniques to move laterally on insufficiently protected systems, to exploit any vulnerability (current or future) that they can find after using an initial vulnerability to gain access. In many cases, long after the initial vulnerability was patched, the threat actors were already inside the system, waiting to exploit another vulnerability. Even with sophisticated patching, one hole is too many, potentially allowing a long-term compromise of an unsuspecting victim.
Mitigating the risks associated with traditional VPN technology can start by adopting a zero trust approach to network access. This is a major reason why Gartner projects ZTNA as the fastest-growing segment in network security, forecast to grow 36% in 2022 and 31% in 2023. The growth is driven by increased demand for zero trust protection for remote workers and organizations, while reducing dependence on VPNs for secure access. This approach entails having fewer systems and services exposed to the Internet, reducing the risks of breaches.
CylanceGATEWAY is a cloud-native approach to ZTNA with security features bolstered by strong AI (artificial intelligence) and ML (machine learning). CylanceGATEWAY also enforces continuous authentication and authorization. These features work harmoniously to reduce the attack surface, and to enforce granular access to only the applications and services required by those with appropriate and verified permissions.
These security features are coupled with user experience enhancements and improved performance, with better tunneling protocols, the elimination of backhauled traffic by minimizing traffic flow to the corporate data center, and broad points of presence globally, which fosters a better user experience for work-from-anywhere environments.
When implemented holistically, ZTNA is a deterrent against ransomware, command-and-control (C2) beacons, privilege escalation, DNS Tunneling, and data exfiltration. In addition to reducing the surface area for attack, this cohesion prevents lateral movement and unwanted application discovery, and provides greater visibility into network activity for both on-premises and cloud resources.
BlackBerry supports a cloud-native approach to ZTNA to provide modern enterprises with a fast, reliable, and elastic solution that empowers digital business transformation while keeping data, applications, and users secure.
Learn more about harnessing the power of ZTNA to combat growing threat vectors with the BlackBerry® solution CylanceGATEWAY™.