Passwords & MFA Melting VPNs

Nikhil Bhansi

April 27, 2021

The VPN Meltdown

Throughout the March & April month, Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agent (CISA) has reported numerous incidents where old vulnerabilities in popular VPNs were exploited by organized (or state sponsored) hackers, around the world.

Large numbers of malware families & malicious actors across the globe are on the spree of exploiting the old unpatched vulnerabilities in Fortinet as well as Zero-day in Pulse Secure VPN.

The victims of the attacks are include sensitive segments like government agencies, Defense contractors & financial institutions amongst many others

The Impact

Digital Journal quoted Vinay Sridhara, CTO of Balbix Inc., “About 50,000 records belonging to banks, telecoms and government organizations were exposed by this data leak, including session-related information and plain-text usernames and passwords of Fortinet VPN users”.

“What’s most concerning is that even if the vulnerability is patched, the credentials are still at risk for credential stuffing attacks,” he added.

People shifting to remote working has increased the demand for SSL VPNs, also the attack surface + available targets for APT groups and cybercriminals.

Credential Compromise

The passwords form both the VPNs Fortigate and Pulse Secure are being compromised using different CVEs.

Many unpatched vulnerabilities form the recent past have allowed an unauthenticated attackers to compromise a vulnerable VPN server. The attacker able to gain access to all active users and their plain-text credentials.

Attackers could also execute arbitrary commands on each VPN client as it successfully connects to the VPN server.

Vulnerabilities giving access to VPN credentials


Affected VPN	CVE ID	Description	Impact
	CVE-2019-5591	Configuration vulnerability may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server, as default configuration does not verify the LDAP server Identity.	Information Disclosure(password files & private keys)
	CVE-2019-11510	arbitrary file read vulnerability could allow remote unauthenticated attackers to compromise vulnerable Pulse Secure VPN servers and gain access to all active users and their plain-text credentials, and execute arbitrary commands	Access to passwords

2FA/MFA Bypass

Its common recommendation & best practice to have 2FA or MFA along with passwords for VPN. Its generally believed that if for some reasons passwords are compromised the VPNs are still safe due to additional factors.

But during these attacks, we have seen that both the VPNs also suffer MFA/2FA bypass vulnerabilities. This makes the commonly followed best practice and recommendation of having 2FA/MFA pointless.

Vulnerabilities allowing to bypass 2FA/MFA


Affected VPN	CVE ID	Description	Impact
	CVE-2020-12812	Improper Authentication vulnerability in SSL VPN 2FA in FortiOS, results in a user to log successfully without being prompted for the 2FA (FortiToken) if they changed the case of their username.	Operational Risk, Improper Authentication2FA/MFA Bypass
	SlowPulse Malware family	Secrete Backdoor access allows hackers to disable or bypass 2FA/MA verification	Bypassing single & multi-factor authentication on Pulse Secure VPN devices, persisting across upgrades, and maintaining access through webshells

EFFECTIVE SOLUTION: GO PASSWORDLESS

Passwords are by far the weakest link when it comes to security today. Successful attacks involve lost, breached or re-used passwords and we have seen that 2FA/MFA are of no help.

You cannot avoid the patch but you can definitely avoid passwords & the 2FA/MFA solutions and go passwordless with much more ease and convenience.

Today, the smartest & the most secure way to sign In on any VPN or enterprise applications is by going completely passwordless.

With PureAuth passwordless authentication, you can effectively mitigate the risk of having your password stolen by phishing and a number of other methods.

The usernames and passwords dumped (ab)using CVE2018- are being used to get access to the network even after the vulnerability is patched. VPNs being the first line of defense for any enterprise, do not leave it at the mercy of 2FA/MFA which can be easily bypassed. Go passwordless with PureID. Stolen passwords won’t affect you if there are no passwords.