NewsBites Drilldown for the Week Ending 10 July 2020


John Pescatore
– SANS Director of Emerging Security Trends

This week’s Drilldown will address items (included below) from NewsBites Issue 53 and Issue 54, both of which focus on the issue of maintaining security on remote access capabilities.

The first item pointed to summary guidance from the U.S. National Security Agency (NSA) on traditional VPN tunnel/gateway approaches:

  • Reduce the VPN gateway attack surface.
  • Verify that cryptographic algorithms are compliant with Committee on National Security Systems (CNNS) Policy 15.
  • Avoid using default VPN settings.
  • Remove unused or noncompliant cryptography suites.
  • Apply vendor-provided updates (i.e., patches) for VPN gateways and clients.

The NSA paper also pointed to more detailed guidance on securely configuring VPNs here.

SANS Fellow and Internet Storm Center Director Johannes Ullrich emphasized the most critical security step to take for all perimeter gateways:

One of the most important things you can do, even if you do not use any of these [remote access] products, is to ensure that any administrative interfaces for these devices are accessible only from management networks or VPNs. Limiting access will prevent the vast majority of the exploits used against these vulnerabilities.

Traditional VPN gateways aren’t the only remote access method in use. A recent poll by SANS instructor Heather Mahalik found that, most often, multiple remote access methods are being supported to handle the work-from-home load.


From “How Are Remote Workers Working? A SANS Poll

Web-based and remote desktop access are common parts of the mix and need to be kept secure.

The second item points to attackers already scanning for critical patches released by Citrix for its gateway appliances. Vulnerabilities in remote access and other perimeter gateways act as “force multipliers” for attackers, and they are actively searching for missing patches and rapidly launching attacks. Security teams should work with IT and network operations to take immediate steps to reduce risk (such as securing management interfaces) and prioritizing patching of perimeter security appliances and gateway software.


NSA Issues Guidance on Securing IPSec VPNs

(July 2, 2020)

The U.S. National Security Agency (NSA) released guidance to help organizations secure their IPSec VPNs. Many organizations are using these to enable their employees to work from home. The NSA also released a document with information about configuring IPSec VPNs.

[Editor Comments][Pescatore] Related to this item and the one about the USCYBERCOM warning of critical vulnerabilities in Palo Alto Networks’ PAN-OS based products, Johannes Ullrich of SANS put forth great guidance earlier in the year about critical vulnerabilities in security and VPN appliances. SANS published that guidance as part of the SANS 2020 Top New Attacks and Threat Report, available at

[Murray] This guidance seems to assume that all VPNs will terminate on a network “gateway.” While there will be a lot of these in a work-from-home situation, I prefer to terminate VPNs on applications rather than on networks or operating systems.


–More Security Vulnerabilities in Perimeter Security Devices and What To Do About Them

The last two weeks highlighted yet again security problems with software and devices that are supposed to protect our perimeters. Most notable, F5’s BIG-IP devices were found to suffer from a trivially exploitable remote code execution vulnerability. This vulnerability is already heavily exploited, and a vulnerable, badly configured device was likely exploited over the weekend. But F5 wasn’t alone. About a week ago, Palo Alto Networks reported a problem allowing authentication bypass in certain configurations of its devices. And less noted, but still important, were vulnerabilities in the open source RDP gateway Guacamole. As a cheaper alternative to commercial solutions, some organizations implemented this solution to provide controlled access to RDP services for remote workers. One of the most important things you can do, even if you do not use any of these products, is to ensure that any administrative interfaces for these devices are accessible only from management networks or VPNs. Limiting access will prevent the vast majority of the exploits used against these vulnerabilities.

Read more in:

Bleeping Computer: NSA releases guidance on securing IPsec Virtual Private Networks

Defense: Securing IPsec Virtual Private Networks (PDF)

Defense: Configuring IPsec Virtual Private Networks (PDF)

Citrix Patches 11 Vulnerabilities in Networking Products; Someone Is Already Scanning for Vulnerable Installations

(July 7, 8, and 9, 2020)

Earlier this week, Citrix released fixes for 11 vulnerabilities in Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP appliances. The flaws include information disclosure, local privilege elevation, code injection, cross-site scripting (XSS), authorization bypass and DOS. Rob Joyce, the former head of the NSA’s Tailored Access Operations (TAO) team, has urged users to apply the patches as soon as possible. Active scanning for vulnerable installations has been detected.

[Editor Comments][Ullrich] The XSS vulnerability is particularly interesting here. The impact of XSS vulnerabilities is often underestimated. In this case, the XSS vulnerability can be used to execute code on the device. Exploitation has been demonstrated in a YouTube video, but code for the full exploit has not been made public yet. The victim, an administrator currently logged into the system, will have to visit a malicious website to trigger the exploit chain. The result is full access to the device for the attacker.

[Neely] The debate over urgency occurs because the attacks require access to vulnerable devices to exploit. Targeting the management interface using XSS can lead to compromise. Virtual IPs could also be used to initiate a DOS attack or internal network scan. In addition to applying the patches, restrict access to the management interface.

[Honan] Given the large number of people now working remotely during the coronavirus pandemic, attacks against remote access points, such as Citrix gateways, are on the rise. These vulnerabilities are already being actively exploited and should be patched as quickly as possible.

Read more in:

SANS ISC: Active Exploit Attempts Targeting Recent Citrix ADC Vulnerabilities CTX276688

The Register: FYI: Someone’s scanning for gateways with those security holes Citrix told you not to worry too much about

DUO: Citrix Patches 11 Vulnerabilities in Several Products

Threatpost: Citrix Bugs Allow Unauthenticated Code Injection, Data Theft

The Register: Citrix tells everyone not to worry too much about its latest security patches. NSA’s former top hacker disagrees

Bleeping Computer: Citrix fixes 11 flaws in ADC, Gateway, and SD-WAN WANOP appliances

Twitter: Rob Joyce

Citrix: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update

*** This is a Security Bloggers Network syndicated blog from SANS Blog authored by SANS Blog. Read the original post at: