Unraveling Common VPN Flaws

Chances are your VPN is vulnerable

Think your VPN is safe? Odds are, it has exploitable vulnerabilities.

“The common belief is that VPN systems are invulnerable, when, in fact, they are frequently the weak link in an otherwise secure system,” says Roy Hills, the technical director of NTA Monitor Ltd., based in Rochester, England.

The security testing company studied VPNs over a three years and found 90 percent of remote-access VPNs have exploitable vulnerabilities. “The tests were mainly carried out for large organizations, including financial institutions that had their own in-house security teams,” notes Hills.

Businesses like VPNs as an easy, low-cost way to give mobile users access to Web-based applications and interfaces. According to Forrester Research, 44 percent of U.S. businesses have deployed SSL VPNs.

Yet VPNs are also attractive targets, according to Hill. For one thing, they “carry sensitive information over an insecure network.” Some VPNs even grant full network access. Furthermore, “while VPN traffic is usually invisible to IDS [intrusion detection system] monitoring,” so once an attacker has access, it probably won’t raise warning flags. This is especially attractive given the general overall increase in security elsewhere in the organization, he notes, from more-difficult-to-penetrate firewalls, to servers located in network DMZs.

One prevalent VPN vulnerability allows for username enumeration, says Hills. “Many remote access VPNs have vulnerabilities that allow valid usernames to be guessed through a dictionary attack, because they respond differently to valid and invalid usernames.” In other words, many VPNs specify whether a username, or password, or both have been incorrectly entered. Of course, best practices security dictates devices not do this. “However, many VPN implementations ignore this rule.” As a result, attackers get verification when they find an accurate username.

Usernames in general are a risk since many are “based on people’s names or e-mail addresses.” This makes them susceptible to dictionary attacks, which allows an attacker “to recover a number of valid usernames in a short period of time.” Furthermore, many VPNs do not automatically disable user accounts after a certain number of failed log-ins, meaning attackers can continually probe for existing usernames.

NTA proved this vulnerability in a number of clients’ environments, notes Hill. “It is believed this VPN guessing issue is a new discovery and several vendors have been notified.” Even so, “the vendors have not always implemented fixes after notification, so many systems are still vulnerable.”

Once an attacker obtains a valid VPN username and password combination, other attacks are possible beyond just surreptitiously logging in. For example, once a valid password is obtained, “it is possible to obtain a hash from the VPN server and use this to mount an offline attack to crack the associated passwords,” says Hill. The processing power required for the task is relatively trivial. Hill says a six-character password that uses only letters could be brute-force cracked in 16 minutes. A more complex password—six characters, using a combination of letters and numbers—might take two days. As the work occurs offline, an attacker also won’t be registering attempted log-ins on the server.

To help identify these vulnerabilities, NTA released ike-scan, a free tool—licensed under the GNU general public license—for Unix, Linux, and Windows. It allows security administrators to search the corporate network for VPNs, and also for known VPN vulnerabilities. Products from such vendors as Checkpoint, Cisco, Microsoft, Nortel, and Watchguard can be detected. “The detection of these products does not imply that any particular product is at fault, more that these are among the most commonly found VPN products,” cautions NTA. Despite the tool being free, by no means does it offer one-click VPN vulnerability remediation. Hill notes it’s “quite complex and needs to be fully understood in order to be used effectively.”

Related Articles:

Yankee Group Says Security Outsourcing Set to Explode

Case Study: UCI Cinema Adopts SSL VPN for Anytime, Anywhere Access

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.