Flaws in widely used corporate VPNs put company secrets at risk

[InfoSec News <alerts () infosecnews org>]

https://techcrunch.com/2019/07/23/corporate-vpn-flaws-risk/

By Zack Whittaker
TechCrunch
July 23, 2019

Researchers have found several security flaws in popular corporate VPNs which 
they say can be used to silently break into company networks and steal business 
secrets.

Devcore researchers Orange Tsai and Meh Chang, who shared their findings with 
TechCrunch ahead of their upcoming Black Hat talk, said the flaws found in the 
three corporate VPN providers — Palo Alto Networks, Pulse Secure and Fortinet — 
are “easy” to remotely exploit.

These VPNs — or virtual private networks — aren’t your traditional consumer VPN 
apps designed to mask where you are and hide your identity, but are used by 
staff who work remotely to access resources on a company’s network. Typically 
employees must enter their corporate username and password, and often a 
two-factor code. By connecting over an HTTPS (SSL) connection, these providers 
create a secure tunnel between the user’s computer and the corporate network.

But Tsai and Chang say the bugs they found allow anyone to covertly burrow into 
a company’s network without needing a working username or password.

[...]

--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_