January was a month of brutal honesty for many of the world’s largest IT companies. First, Intel, ARM, and AMD confessed to Meltdown and Spectre vulnerabilities. And then, just two days before the month ended, Cisco also entered the confessional to admit a vulnerability in their WebVPN portals.
Cisco’s vulnerability impacts a much smaller user-base than the major chipmakers’. Still, the announcement was a huge shock for any business or institution using WebVPNs to secure network access, institutions like the University of California Irvine, Barnard College, Raytheon, and many others.
A vulnerability is different than a virus in one fundamentally important way. A virus requires penetration of the point-line security, such as a firewall, in order to infect a private network: A virus or malware needs someone or something to fail in order to function.
A vulnerability is more like a pre-programmed failure, a window in the back of the house, left open for any would-be thief who comes across it. But in contrast to home security, a vulnerability is a much larger problem in software because as soon as a hacker becomes aware that the vulnerability exists, he/she can exploit the same flaw wherever it exists, in any organization with the same vulnerability, anywhere.
With the exception of Cisco’s clientless WebVPN, anyone who uses a Virtual Private Network (VPN) is required to download and install a “client,” and run this software in order to connect to the private network. The client can function in any number of ways to establish a virtual point-to-point connection and secure data sent to and received from the private network. By using dedicated connections, virtual tunneling protocols, and traffic encryption, VPNs can extend the security of a private, on-premise network across the public Internet so that no one can intercept or corrupt data in transit.
The Cisco “clientless” VPN doesn’t actually remove the need for a client; the software conveniently installs and runs the client every time a user logs into the network. But in order to accomplish this seamless access, clientless VPN cannot require certificate validation at login, significantly reducing their security potential.
Certificates are an important, and we think, integral security feature of VPNs because they control the number of users who can even try to gain access. Without a certificate system, clientless VPN is open to a Web-based attack from anyone.
In the case of the recently exposed vulnerability, hackers can systematically exploit the “clientless” protocol to bypass a device’s security completely, allowing them to execute foreign commands and ultimately gain full control of the device.
To breach a clientless VPN, an attacker would use multiple XML messages submitted to the WebVPN interface of a targeted device to “double-free” memory on the system. Multiple calls to free a specific memory address causes memory leakage, which makes it possible for a hacker to rewrite the device’s system memory. So, for example, the attacker could write foreign commands on the system, anything he/she wanted.
On the Common Vulnerability Scoring System, CIsco’s clientless WebVPN was rated a 10 out of 10, the highest score.
Cisco has issued a patch for the vulnerability, but as with Meltdown and Specter, there is no way of knowing how many hackers had identified and exploited the vulnerability prior to Cisco’s awareness of a problem. Cisco commented that they are currently unaware of any security breaches due the WebVPN vulnerability.
Platte River Has Never Run WebVPN Because of the Security Sacrifice
We did not know of this specific vulnerability prior to Cisco’s announcement, but we have not installed, recommended, or even accepted WebVPN for any of our clients. The sacrifices in security were always too great.
Even with the patch, the clientless VPN gives too much freedom to probe the network for weaknesses. Further cases-in-point came on February 5, when Cisco announced additional attack vectors, other ways nefarious users could take control of network devices.
When this article was written, Cisco had posted 13 vulnerabilities!
Platte River’s position on WebVPN stands. We do not advise using this product to secure any private network.
More generally, we caution any organization that would prioritize convenience over security. Precautions must be taken to protect our valuable assets. Some of these are inconvenient, but cases like clientless VPN show us that user-friendliness can be taken too far.