Welcome back, my aspiring cyberwarriors!
Although VPN's are sold to keep you safe and secure online, many of them are far from from safe and secure. In fact, some of them may actually make you less secure. This is because the developers, in the most egregious cases, did not take the most rudimentary steps toward securing these devices. As pointed out in my earlier post, the Russians took down the ViaSat satellite internet system in Ukraine and Europe by exploiting a Fortinet VPN vulnerability where the attacker could find the cleartext credentials using a simple directory traversal attack (../../).
In this article, I want to show you some the most egregious vulnerabilities in some of the most widely used VPN's in 2024.
VPN's in Cybersecurity
In the fast-changing world of cybersecurity, Virtual Private Networks (VPNs) have been touted as essential tools for organizations of all sizes and consumers. They provide a relatively safe way for employees to connect to company networks remotely, allowing for flexible work arrangements while safeguarding sensitive information. However, despite their importance, VPNs can also be potential weak points that pose significant risks.
In 2023, the cybersecurity landscape faced a startling reality: there was a dramatic 47% increase in reported VPN vulnerabilities compared to 2022. This alarming statistic has raised significant concerns within the industry, prompting organizations to reevaluate these security measures.
While VPNs are critical for ensuring secure remote access and protecting sensitive data from interception, the rise in vulnerabilities poses a serious threat. If attackers manage to exploit these weaknesses, they can infiltrate networks without detection. This could lead to serious data breaches, ransomware attacks, or extortion. APT around the world have been exploiting these vulnerabilities to access credentials and what were thought of as secure communication.
Given these risks, organizations must understand the vulnerabilities associated with their VPNs. This article will explore the top 5 VPN vulnerabilities identified from 2022 through mid-2024.
CVE-2024-24919 (Information Disclosure in Check Point Quantum Gateway/Spark Gateway/CloudGuard Network Remote Access VPN)
CVE-2024-24919 is an information disclosure vulnerability that can allow an attacker to access certain information on internet-connected Gateways that have been configured with IPSec VPN, remote access VPN or mobile access software blade. According to the advisory, Check Point has observed, in-the-wild exploitation of this vulnerability and so far this exploit activity has been focused on devices configured with local accounts using password-only authentication.
Exploitation
Let's try to exploit this vulnerability on our own. There are already several Proof-of-Concept exploits developed and available on GitHub. Let's use the GoatSecurity implementation as an example.
You can download and clone the repository with the command below.
Navigate to the new directory.
kali> cd cve-2024-24919
Finally, install all the requirements using pip.
kali> pip install -r requirements.txt
As you can see, a Path Traversal attack (also known as directory traversal) was used. It’s a type of security vulnerability that allows a hacker to access arbitrary files and directories stored on file system. This is done by manipulating the input paths, using sequences like ../ to navigate to parent directories. In the script code, we can see these paths.
As a result of running the script, we received valuable system information, which can be used to plan further actions.
CVE-2024-21762 (Out-of-Bounds Write in Fortinet FortiOS)
CVE-2024-21762 is an out-of-bounds write vulnerability in sslvpnd, the SSL VPN daemon of Fortinet's FortiOS. An unauthenticated attacker could exploit this vulnerability by sending specially crafted HTTP requests to a vulnerable device with SSL VPN enabled. Successful exploitation would enable the attacker to execute remote code (rce) or commands on the device.
Almost a month after Fortinet addressed CVE-2024-21762, Shadowserver Foundation reported the discovery of nearly 150,000 vulnerable devices.
Exploration and Research
Let's explore how many FortiOS devices are located in Russia, according to Censys: (FortiOS) and location.country=`Russia`
1804 systems identified. Now, let's check which of these are vulnerable to exploitation. We can download a vulnerability scanner specific to this exploit from github as seen below.
kali> git clone https://github.com/cleverg0d/CVE-2024-21762-Checker.git
Once we have downloaded it, we can direct it to the VPN by simply adding the IP address and port.
kali> python3 check-cve-2024-21762.py <IP> <PORT>
Most of them have been patched, but there are still some vulnerable systems such as this Russian online pharmacy seen below
CVE-2024-3400 (Command Injection in Palo Alto Networks PAN-OS GlobalProtect)
CVE-2024-3400 is a critical command injection vulnerability affecting the GlobalProtect Gateway feature of PAN-OS. An unauthenticated remote attacker could exploit this vulnerability to execute code on an affected firewall with root privileges!
This vulnerability impacts specific versions of PAN-OS, including 10.2, 11.0, and 11.1. Palo Alto Networks has confirmed that several attacks have exploited this vulnerability since its disclosure. Detailed analysis has revealed the sophistication and intent of the attackers, who are linked to the state-sponsored threat actor known as UTA0218. These attackers utilized the vulnerability to establish a reverse shell, enabling them to download malicious tools, exfiltrate sensitive configuration data, and conduct lateral movement within compromised networks.
Searching for Vulnerable Systems
To find the IP addresses of systems running PAN-OS, we can use Shodan or Censys. For verification, we can utilize the following Nuclei template found in the github repository below.
Nuclei is a fast and customizable vulnerability scanner. It enables users to send requests across multiple targets based on templates.
To use nuclei, simply execute nuclei followed by the -t option, then followed by the nuclei template we just downloaded, followed by the IP address and finally -o switch to designate the name of the output file as seen below.
kali > nuclei -t CVE-2024-3400.yaml -u https://<IP> -o results.txt
Next, we can inject a command injection payload into the SESSID cookie value and send it to /ssl-vpn/hipreport.esp. When telemetry is enabled on a Palo Alto GlobalProtect appliance, this value gets concatenated into a string and executed as a shell command!
CVE-2023-27997 (Heap-Based Overflow in Fortinet FortiOS/FortiProxy FortiGate SSL-VPN)
CVE-2023-27997 is a heap-based buffer overflow vulnerability affecting the secure socket layer virtual private network (SSL VPN) functionality in FortiOS and FortiProxy on Fortinet devices, including FortiGate Next Generation Firewalls (NGFW). An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted requests to a vulnerable device, potentially allowing the attacker to execute arbitrary code on the affected device.
This disclosure mirrors previous vulnerabilities reported by Fortinet, such as CVE-2022-40684, a critical authentication bypass in FortiOS and FortiProxy, and CVE-2022-42475, another heap-based buffer overflow in FortiOS SSL VPNs. Fortinet has had a very bad few years. I'm not sure why anyone still trusts their products.
CVE-2022-42475 was exploited in the wild by suspected Chinese threat actors, resulting in the compromise of a government entity in Europe and a managed service provider in Africa. Furthermore, Fortinet's recent blog post indicates that CVE-2022-40684 was targeted by a newly identified threat actor known as Volt Typhoon.
CVE-2023-46805 & CVE-2024-21887 (Improper Authentication & Command Injection in Ivanti Connect Secure/Policy Secure Web)
CVE-2023-46805 and CVE-2024-21887 are two critical vulnerabilities that have had a significant impact on Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products. These flaws have drawn considerable attention from cybersecurity professionals due to their severity and potential implications.
The first vulnerability, CVE-2023-46805, is an authentication bypass within the appliances' web component. This allows attackers to access restricted resources by bypassing essential control checks. The second vulnerability, tracked as CVE-2024-21887, is a command injection flaw that enables authenticated administrators to execute arbitrary commands on vulnerable appliances through specially crafted requests.
Ivanti has reported that these two zero-day vulnerabilities have already been exploited in the wild, affecting a limited number of customers. Threat intelligence firm Volexity identified the exploitation of these zero-days in December, linking the attack to a suspected Chinese state-backed threat actor.
This isn’t the first time that Chinese threat groups have targeted Ivanti products; in 2021, they exploited another zero-day in Connect Secure, tracked as CVE-2021-22893, which led to breaches affecting numerous U.S. and European government, defense, and financial organizations.
Summary
VPN's are sold as products that will keep us secure. Unfortunately, lax security standards at these developers have made many of these devices less than secure. This means that if you are dependent upon them to keep you safe and secure, your trust is probably misplaced
The vulnerabilities described here pose significant security risks, enabling attackers to infiltrate networks, steal sensitive data, and deploy malicious software. This highlights the critical need for vigilance and a proactive approach to addressing these security flaws. Hopefully, we've made it clear that VPNs are not as safe as many have thought.
For more on VPN hacking/exploitation, see our upcoming VPN Hacking training, June 2025.