As COVID-19 slowly spread across the globe, consumer demand for commercial virtual private network (VPN) services has soared – both for security reasons and for bypassing geo-blocking of (streaming) content. Not unexpectedly, enterprise VPN use has also greatly increased, and so has the use of the Remote Desktop Protocol (RDP), a popular and common means for remotely managing a computer over a network connection.
Increased enterprise RDP and VPN use
Shodan creator John Matherly has pulled old and new data regarding devices exposing RDP and VPN protocols and ports to the Internet and has confirmed that:
- The number of devices exposing RDP to the internet on standard ports (3389) has grown by 41.5 percent over the past month
- The number of devices exposing RDP to the internet on non-standard but often used alternate ports (3388) has grown by 36.8 percent over the same period
- The number of servers running VPN protocols (IKE, PPTP, etc.) on different ports has jumped from nearly 7.5 million to nearly 10 million (by a third).
With the increased usage of these services comes an increase risk of compromise, though.
“[RDP] has a history of security issues and generally shouldn’t be publicly accessible without any other protections (ex. firewall whitelist, 2FA),” Matherly noted.
While helpful for allowing remote users to securely connect to corporate applications and resources, the VPNs set up by organizations are not immune to attack and compromise via known and unknown vulnerabilities, both on the client and server side.
Among the more recent examples are:
- CVE-2019-1573, a vulnerability that made a variety of VPN applications store the authentication and session cookies insecurely in memory and/or log files
- CVE-2019-11510, an arbitrary file reading vulnerability affecting Pulse Connect Secure SSL VPN installations
- CVE-2018-13379, a path traversal flaw in the FortiOS SSL VPN web portal
The latter two can be exploited remotely by sending a specially crafted HTTPS request, don’t require authentication, and allow attackers to download files/extract sensitive information from the vulnerable servers. They have also been actively exploited by attackers.