In the world of cybersecurity, remote access is essential for enterprise operations, allowing employees to work from anywhere and IT teams to manage systems remotely. However, traditional VPN/SSLVPN devices, often integrated into Next-Generation Firewall (NGFW) platforms, have become a double-edged sword. While they facilitate secure remote access, they also present significant security risks. In this blog, we explore the dangers of traditional VPNs, the impact of zero-day vulnerabilities, and how modern solutions like Admin By Request Remote Access offer a safer alternative, especially in light of the active exploitation of vulnerabilities like CVE-2024-20353 and CVE-2024-20359 affecting Cisco firewall platforms. Read more on the Cisco VPN vulnerability, and others like it, below.

The Problem with Traditional VPNs and Remote Access VPN Sessions

VPNs are designed to provide secure remote access to corporate networks, but their design and implementation can create vulnerabilities. These devices typically reside on the public internet, making them highly visible to malicious actors. This exposure, combined with their reliance on outdated security practices, often undermines their effectiveness.

Specific affected devices, such as Windows, macOS, and Linux versions, can be compromised due to outdated security practices and configurations, making them susceptible to various vulnerabilities.

Examples of Where VPNs are Lacking

For instance, many traditional VPNs may still utilize outdated encryption algorithms, such as DES or RC4, which are susceptible to brute-force attacks. Additionally, some VPN implementations may lack robust authentication mechanisms, relying solely on usernames and passwords rather than more secure methods like multi-factor authentication. Furthermore, inadequate patch management practices can leave VPN devices vulnerable to known exploits and vulnerabilities.

Zero-Day Vulnerabilities and Their Impact: Execute Arbitrary Code

Zero-day vulnerabilities, or security flaws that are previously unknown and unpatched, have become a favorite target for cybercriminals. In 2024 alone, several high-profile VPN vendors have fallen victim to zero-day exploits, allowing attackers to gain unauthorized access to private networks through successful exploits. This creates significant risks for businesses, leading to unauthorized data access, system control, and potential breaches that can take months to detect. It’s critical to understand why traditional remote access solutions are so vulnerable, and what steps can be taken to mitigate these risks.

In 2024, four major VPN vendors faced these vulnerabilities, highlighting the risks associated with traditional remote access solutions. Let’s delve into these incidents and understand how they affected some of the industry’s leading companies.

Palo Alto Networks

Palo Alto Networks suffered from a critical command injection vulnerability (CVE-2024-3400), which was exploited in limited attacks. This vulnerability allowed attackers to gain control over specific Palo Alto firewalls, resulting in a significant breach. Researchers from Palo Alto Networks’ Unit 42 and Volexity released threat briefs detailing how the backdoor, dubbed UPSTYLE, works and persists within targeted devices. This Python-based backdoor allows threat actors to execute arbitrary commands, and if left unchecked, can lead to data theft and lateral movement across corporate networks.

Further investigation revealed that attackers were targeting domain backup keys and active directory credentials, using a service account to pivot across affected networks. PAN urged customers to implement mitigations and workarounds quickly, as the attacks could escalate, and more threat actors could exploit the vulnerability. Palo Alto Networks also provided guidance on collecting logs and preserving forensic artifacts, emphasizing the need for swift and comprehensive response to prevent further damage.

Cisco Adaptive Security Appliance

Cisco’s Adaptive Security Appliances (ASA) were compromised through two zero-day vulnerabilities (CVE-2024-20353, CVE-2024-20359). A state-sponsored threat actor used custom malware to install backdoors on Cisco Adaptive Security Appliance devices, leading to unauthorized access to government networks worldwide. Cisco Talos, in collaboration with other companies and governmental agencies, investigated the attack, revealing that it involved bespoke tooling and sophisticated anti-forensic measures, indicating a state-sponsored source.

The attackers used custom malware, Line Dancer and Line Runner, to maintain persistence and execute arbitrary commands on the Cisco ASA devices. For example, a Cisco ASA device with specific SSL listen sockets was found to be affected. This campaign, known as ArcaneDoor, highlighted the ongoing threats to “edge” networking devices like VPNs and firewalls running Cisco ASA Software. Additionally, vulnerabilities in Cisco Firepower Threat Defense were significant in this context.

Cisco released patches and provided guidance to mitigate the vulnerabilities affecting Cisco firewall platforms, encouraging customers to monitor system logs and apply patches immediately to prevent further exploitation. Specific CVEs such as CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359 were exploited in the Firepower Threat Defense (FTD) software. The attackers targeted FTD software, emphasizing the importance of updating to the latest version to mitigate these vulnerabilities. It is crucial to check if a device is running Cisco ASA Software to determine vulnerability.

The threat actor exploited vulnerabilities in Cisco Firepower Threat Defense (FTD) Software, targeting government-owned perimeter network devices.

Fortinet

Fortinet faced critical remote code execution vulnerabilities (CVE-2024-21762, CVE-2024-23313) that could allow remote attackers to execute arbitrary code or commands. The exploitation of these vulnerabilities was confirmed by CISA, though the details of the attacks remain undisclosed. CVE-2024-21762 and CVE-2024-23313 affect various versions of FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager.

Fortinet advised users to migrate to fixed releases or apply workarounds to mitigate the risks. Rapid7 researchers noted that Fortinet SSL VPN vulnerabilities have a history of being targeted by state-sponsored threat actors. Fortinet’s case demonstrates the ongoing need for vigilance and timely patching to safeguard against potential breaches.

Ivanti

Ivanti Connect Secure VPN gateways and Policy Secure suffered from a server-side request forgery (SSRF) vulnerability (CVE-2024-21893), allowing attackers to bypass authentication and access restricted resources. This flaw, when chained with a command injection vulnerability, led to unauthorized remote code execution. Ivanti and Mandiant explained that this new technique bypassed Ivanti’s original mitigation, indicating a significant security concern.

Ivanti’s case highlighted the challenges organizations face when dealing with zero-day vulnerabilities in widely used remote access solutions. This exploitation added to Ivanti’s existing security concerns, prompting the US Cybersecurity and Infrastructure Agency (CISA) to recommend disconnecting all instances of Ivanti Connect Secure and Policy Secure products from agency networks.

These incidents underscore the inherent dangers of traditional remote access solutions, driven by outdated security practices, misconfiguration, and resistance to technological changes. The vulnerabilities left these devices susceptible to unauthorized access, leading to a lack of business continuity and significant security risks.

The Urgency for a New Approach Amid Active Exploitation

Given the growing risks associated with zero-day vulnerabilities and traditional remote access solutions, it’s crucial to consider modern alternatives that offer enhanced security features. Following a security advisory from official sources is essential to mitigate vulnerabilities and protect your systems. Admin By Request’s Remote Access provides a secure and comprehensive solution, combining multi-factor authentication, endpoint security, and real-time monitoring to prevent unauthorized access.

Admin By Request’s approach focuses on Privileged Access Management (PAM) and ensures a layered defense strategy. With robust session recording, time-limited access authorization, and browser-based remote access, organizations can maintain strict security protocols without compromising productivity. This solution can help organizations safeguard against zero-day vulnerabilities and ensure that remote access is secure and reliable.

Conclusion

Traditional VPNs pose significant risks due to their inherent vulnerabilities and exposure to zero-day exploits. To protect against these dangers, organizations must adopt a more secure approach to remote access. Admin By Request Remote Access offers a comprehensive solution that addresses the limitations of traditional VPNs, providing advanced security features and a user-friendly experience. By embracing modern remote access solutions, businesses can safeguard their digital assets, maintain compliance, and protect their operations from cyber threats.

Where to Next?

If you’re interested in learning more about Admin By Request Remote Access and how it can help secure your organization’s remote access needs, contact us today. Don’t let outdated remote access solutions put your business at risk—choose a safer, more secure alternative.