In a report shared with TechCrunch, researchers at Devcore said three popular corporate VPN providers contain flaws that are “easy” to remotely exploit.
These virtual private networks (VPN) — Palo Alto Networks, Pulse Secure, and Fortinet — are used by enterprises around the world. They allow staff who work remotely to securely access the company’s network. However, Devcore researchers, Orange Tsai and Meh Chang, said they found bugs that would allow hackers to infiltrate a company’s network without a working username or password.
“We could compromise the VPN server and corporate intranet with no authentication required, compromise all the VPN clients, and steal all secrets from the victims,” Tsai said in a statement to TechCrunch.
In their report, the researchers shared details about the Palo Alto bug, which they said:
“A simple format string flaw — such as inputted text that isn’t properly understood by the server — is enough to crash the service altogether.”
As mentioned before, enterprises around the world use these corporate VPNs. One such enterprise is Uber, which uses Palo Alto’s GlobalProtect VPN. According to the researchers, they “tested the bug on one of Uber’s internal Palo Alto-run servers.”
Uber quickly fixed the bug.
They also exposed vulnerabilities in Twitter. These vulnerabilities allowed them to get “the root privilege on Twitter’s most important VPN server successfully and got the highest severity and the highest bounty from their bounty program.”
Tsai and Chang contacted Palo Alto privately about the bugs, but the company said the bugs had already been “found internally,” however, it did not issue a public advisory — a move that was criticized by some members of the security community.
Additionally, TechCrunch says, along with issuing an advisory, Fortinet fixed its vulnerabilities. And, Pulse Secure’s chief marketing officer Scott Gordon said the company notified its customers of the vulnerability, and an available patch, in late April.
More details on Fortinet and Pulse Secure’s flaws will be released in the coming days.