In recent months, several vulnerabilities have been found in Virtual Private Network (VPN) technology from various providers, putting sensitive data and networks at risk of compromise, says the New Jersey Cybersecurity & Communications Integration Cell (NJCCIC).
According to the NJCCIC, the National Security Agency (NSA) and the UK's National Cyber Security Centre (NCSC) issued advisories in October highlighting the exploitation of VPN vulnerabilities by advanced persistent threat (APT) actors. Researchers at Immersive Labs recently discovered and disclosed a vulnerability within Aviatrix VPN, a cloud-native networking software provider which provides VPN services to various enterprises such as NASA, Shell and multiple telecommunication companies. The vulnerability could allow a threat actor to achieve privilege escalation on a compromised machine and gain access to system files and network services, says the report. A patch was released shortly after the disclosure.
In addition, a separate vulnerability, CVE-2019-14899, was identified in Linux distributions, FreeBSD, macOS, iOS and Android operating systems that could allow a threat actor to hijack active connections inside a VPN tunnel, affecting a range of VPN technologies, says the report. A patch is not yet available; however, the vulnerability is difficult to exploit, the NJCCIC notes.
The NJCCIC advises Aviatrix VPN users and administrators to apply the most recent patch, version 2.5.7. They urge organizations to review VPN settings and configuration options, monitor network traffic logs, enable multi-factor authentication, whitelist authorized IP addresses and disable unnecessary or unused ports.