VPN Buffer Overflow Vulnerabilities Exploited by Nation-State Attackers

Many of the new vulnerabilities discovered each year involve developers making the same mistakes in different applications. While these programming errors are well-known, they continue to persist due to a lack of standardized security training for developers and the difficulty of identifying a single line of potentially exploitable code in the hundreds or thousands of lines that make up a software application.

In most cases, the impact of a given vulnerability depends on the type of application that contains it and the ways that it can be used to change how that software operates. For example, buffer overflow vulnerabilities are fairly simple. They involve a failure to properly validate user input before storing it in memory. However, buffer overflow vulnerabilities can be very dangerous since they provide an attacker with a great deal of control over how an application works.

For example, the NSA has recently released an advisory regarding the exploitation of buffer overflow vulnerabilities by nation-state attackers in virtual private network (VPN) software commonly used by businesses. While the nature of the vulnerability in question (a buffer overflow) is fairly simple, it warranted a special advisory from the NSA due to the type of software that it impacts (VPNs) and what the vulnerability allowed attackers to do with this software.

Vulnerabilities in VPNs

VPNs are designed to provide a secure connection between a remote user and a protected network. This is typically accomplished by installing client software on the user’s computer that encrypts all traffic between it and the VPN endpoint server on the remote network.

Before a VPN can set up an encrypted channel between a remote user and the VPN endpoint, it needs to authenticate the user in order to ensure that they are authorized to access the protected network. This need for authentication means that VPNs need to interact with unauthenticated and untrusted users during the authentication process. VPNs also often do not perform IP whitelisting or any limiting of users to certain IP addresses since their purpose is to connect remote users to the network. If a VPN has a vulnerability in its authentication process, then this vulnerability can be exploited by a remote attacker. In the case of the vulnerabilities described in the NSA warning bulletin, all of the vulnerabilities are buffer overflow vulnerabilities.

A buffer overflow vulnerability is created by a failure to properly validate user input before storing it in a computer’s memory. An application developer allocates a certain amount of memory for the user input and assumes that it will fit in this space (but doesn’t check). If an attacker provides more data than can fit in this space, it allows them to write to memory that they shouldn’t be able to control, which can impact the functionality and security of the application.

Impacts of the VPN Vulnerabilities

The VPN vulnerabilities discussed in the NSA advisory were a bit unusual since they were not limited to a single manufacturer. Instead, the NSA warned of exploitation by nation-state attackers of vulnerabilities in three different brands of VPN software: Pulse Secure, Palo Alto GlobalProtect, and Fortinet’s Fortigate.

All of the affected versions included buffer overflow and other vulnerabilities that could be exploited by an attacker. The impact of these vulnerabilities varied from product to product but all were significant:

●    Remote Arbitrary File Downloads: Attackers could exfiltrate potentially sensitive information from a computer

●    Remote Code Execution: Attacker-supplied commands could be run on the VPN endpoint with the VPN server’s level of permissions

●    Password Updates: An attacker can change the password of an authenticated user account

Any of these vulnerabilities in a VPN can be a significant threat to the security of its users, and some of the VPNs have multiple vulnerabilities. In all cases, the manufacturer has patched the vulnerability and made the updated software available to users. However, this patch is only useful to users of the software if they have applied it.

Protecting Against Software Vulnerabilities

The buffer overflow vulnerabilities that prompted the NSA advisory are only one example of many software vulnerabilities that are under active exploitation. In this case, the software in question is widely used and is designed to protect sensitive information passing over an untrusted network, so the potential impact of exploitation is much greater.

The focus of the NSA advisory is not on the organizations that created the vulnerable VPN software but on those that are using the vulnerable versions. Since the manufacturer made the patch available, users have the ability to close the vulnerability and end the threat to their systems. However, the failure to apply these patches is what enables the active exploitation of these vulnerabilities and prompted the statement by the NSA informing users of the existence of the patches and encouraging them to apply the available fixes.

The sheer number of software vulnerabilities in existence makes it difficult or impossible for many organizations to keep up with the need to test and apply fixes for the software that they use every day. Reducing their attack surface and risk of exploitation requires a more scalable approach to managing vulnerabilities. By deploying security solutions that can identify and block attempted exploitation, like a web application firewall (WAF) or runtime application self-protection (RASP), an organization can close the gaps in their cybersecurity and prevent attacks while they are working to update and fix the vulnerable applications on their networks.