Forget your Perimeter: From Phishing Email to Full VPN Compromise

Like it or not, the perimeter has been a necessary line of defense to protect corporate networks from adversaries. Virtual Private Networks (VPNs) appliances are exposed on that perimeter in order to allow employees or trusted 3rd parties to access the internal network, a growing necessity in current times. But what if that appliance you trust is vulnerable and could be the very vector that leads attackers right in? This presentation summarizes an encounter during a penetration test with such an appliance. We will go over the technical details of two cross-site scripting (XSS), one XML eXternal Entity (XXE) and one command-injection vulnerabilities all affecting the latest Pulse Secure VPN product. We will then integrate them in a realistic attack scenario that demonstrate how an external attacker with only a little bit of OSINT can chain these vulnerabilities to pivot into the internal network from outside.

All the vulnerabilities discovered and discussed in this presentation were responsibly disclosed to the vendor and a 90-day window will have been respected by the time of the presentation.

Learn more about Jean-Frédéric Gauron
Learn more about Julien Pineault

Jean-Frederic Gauron & Julien Pineault