Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/21/2019
09:00 AM
50%
50%

7 Ways VPNs Can Turn from Ally to Threat

VPNs are critical pieces of the security infrastructure, but they can be vulnerable, hackable, and weaponized against you. Here are seven things to be aware of before you ignore your VPN.
Previous
1 of 8
Next

VPNs are critical pieces of the enterprise cybersecurity infrastructure. When it comes to protecting data in motion, there's really no good substitute. And that's why it can be so devastating to learn that this mandatory tool can carry vulnerabilities.

Before going any further, it's important to note that nothing here is intended to suggest that your organization ditch its VPNs. Networking with VPNs is vastly more secure than networking without them. With that said, there's no part of the enterprise IT infrastructure that qualifies as "set it and forget it," and VPNs are not exceptions to this rule.

The dangers represented in this article fall into two broad categories; first are the vulnerabilities that are "designed in," featuring problems with the logic, installation, or basic features of the VPN's client or server.

Vulnerabilities in the second group are "classic" vulnerabilities — inadvertent errors in the code running on one side or other of the VPN, an issue with how a protocol is implemented, or something similar.

A number of the vulnerabilities listed in this article have been patched in recent versions of the software, illustrating once again the importance of keeping software updated and fully patched. More than that, the vulnerabilities listed here are a reminder that cybersecurity means looking at every piece of the IT infrastructure, whether it's provided by the business or brought in by the employee. That goes for services as much as for products, and for security services as much as personal productivity applications.

(Image: Bits and Splits via Adobe Stock)

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Poll Results: Maybe Not Burned Out, but Definitely 'Well Done'."

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Previous
1 of 8
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rnolan
100%
0%
rnolan,
User Rank: Apprentice
9/30/2019 | 11:52:04 PM
Re: VPN Risks
I'm a bit bemused why most of these services are called VPNs when they are fundamentally just anonymising services (proxys).  A VPN (used to mean) point to "end" point (end to end encryption).  I supose you could call the eco system on the user side of the proxy a private logical network providing some protection from public WiFi etc.  More worrying is the claims made by companies like Nord that using their service protects your data/privacy etc.  It doesn't offer any protection from the proxy to where you are surfing other than hiding your IP address. Obviously if the site you are accessing is a HTTPS/TLS site this will afford some protection but the "VPN" service advertised doesn't.  Moreover, these services provide a perfect man in the middle opportunity and, depending where they are located (i.e. anywhere in the cloud) no regulatory/legal oversight or protection.
repogos
50%
50%
repogos,
User Rank: Apprentice
9/23/2019 | 6:05:28 AM
with all
does with happen with every vpn and for paid one?
Moral_Monster
50%
50%
Moral_Monster,
User Rank: Apprentice
9/22/2019 | 6:47:18 AM
VPN Risks

In most cases I tend to think that the problem is that loose nut behind the keyboard, But each of these are problems that land right in the lap of IT. But is there a site that will give you the straight poop on the different VPN Providers? Until you develop a relationship with your provider the sales weasels will be quick to tell you "Sure we do. Everything is fine.".

News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26543
PUBLISHED: 2021-05-06
The "gitDiff" function in Wayfair git-parse <=1.0.4 has a command injection vulnerability. Clients of the git-parse library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
CVE-2021-27216
PUBLISHED: 2021-05-06
Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.
CVE-2021-29490
PUBLISHED: 2021-05-06
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and ex...
CVE-2021-29491
PUBLISHED: 2021-05-06
Mixme is a library for recursive merging of Javascript objects. In Node.js mixme v0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the ava...
CVE-2021-29921
PUBLISHED: 2021-05-06
Improper input validation of octal strings in Python stdlib ipaddress 3.10 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib ipaddress. IP address octects are left stripped instead of evaluated as valid I...