MITRE Breach: VPNs Considered Dangerous?

Summary

MITRE, the company that maintains the Common Vulnerabilities and Exposures (CVE) database, was recently breached due to a vulnerability in their own VPN infrastructure.

The issues used to gain access to MITRE, CVE-2023-46805 and CVE-2024-21887, were fairly well covered in the news earlier this year. They could be chained together to enable a remote attacker to take full control of Ivanti Connect Secure, a VPN server that (at the time of writing) has just over 30,000 Internet-visible deployments. Unfortunately, this wasn’t the first critical VPN vulnerability and we are continuing to see even more of them get discovered and exploited.

Implications

VPN devices are still seen as a standard solution for organisations looking to provide secure remote access to internal infrastructure. However, we are now at a point where it is actually difficult to find any commercial VPN offering that hasn’t suffered from at least one critical vulnerability.

It isn’t just the number of vulnerabilities that causes concern, in many cases the damage from these issues has been amplified due to a lack of focus on defence in depth by the vendors. You can read more about this in our blog post from last year: We need to talk about Product Security. We have also previously discussed some of the risk management challenges associated with VPN vulnerabilities: The Importance of Risk Management.

VPNs Considered Dangerous

The level of risk involved in maintaining an Internet-facing VPN server is rapidly getting to the point where it is difficult to justify. And with users and infrastructure now migrating to a decentralised model, a traditional VPN server can start to look like more of a security problem than a security solution.

Our recommendation at this point is to think carefully about the risk/benefit tradeoff before deploying any new VPN servers. Now would also be a good time to make sure you have a transition plan in place to deal with any VPN infrastructure that is approaching its end of life.

The MITRE breach clearly demonstrates that these vulnerabilities are being widely and quickly exploited, so taking some time to ensure that you don’t get stuck with a highly vulnerable VPN with an expired support contract would be a prudent move.

If you need any guidance on mitigating VPN related risks, or help planning a transition to to a more secure solution, then don’t hesitate to get in touch. Our experts have over 20 years of in-depth experience analysing and securing remote access technology and can provide everything from risk management guidance through to complete packaged solutions for your business.

Further Reading

MITRE Breach Disclosure:

• https://www.mitre.org/news-insights/news-release/mitre-response-cyber-attack-one-its-rd-networks

Incident Details:

• https://medium.com/mitre-engenuity/advanced-cyber-threats-impact-even-the-most-prepared-56444e980dc8

Vendor vulnerability Disclosure:

• https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

Cyber➾Guard: Threat driven cybersecurity for small and medium sized businesses:

• https://www.secmatics.com/services/cyberguard