Vulnerable perimeter devices: a huge attack surface

With the increase of critical gateway devices deployed to support off-premise work, companies across the world have to adapt to a new threat landscape where perimeter and remote access devices are now in the first line.

Companies lack visibility into the growing network of internet-connected services and devices that support the new work paradigm; and the avalanche of vulnerabilities reported for edge devices make tackling the new security challenge even more difficult.

Over 1 million devices

In research published today, digital threat management company RiskIQ found hundreds of thousands of fringe network or remote access solutions from Cisco, Microsoft, Citrix, or IBM, where high and critical severity security vulnerabilities were discovered.

Global internet telemetry data from the company shows a huge surface for attackers to probe hoping to find a way into the target organization.

F5 Big-IP - 967,437 devices Citrix NetScaler Gateway - 86,773 devices Palo Alto Global Protect - 61,869 devices Microsoft Remote Desktop Gateway - 42,826 devices Oracle WebLogic - 14,563 devices Citrix ADC - 7,970 devices IBM WebSphere Application Server - 7,496 devices Oracle iPlanet Web Server 7.0 - 2,848 devices Citrix ShareFile - 2,766 devices SAP NetWeaver - 2,629 devices Zoho Desktop Central - 1,988 devices Cisco ASA & Firepower - 1,982 devices

More than a dozen high and critical flaws leading to remote code execution for these devices and others of similar importance on a corporate network have been disclosed over the past year.

F5 on July 3 announced that they patched CVE-2020-5902, a critical (10/10) vulnerability in BIG-IP devices used by Fortune 500 firms, banks, Internet services providers. Two days later, demo exploit code emerged and attackers started to leverage it.

Citrix NetScaler Gateway devices vulnerable to CVE-2019-19781, severity score of 9.8, received patches towards the end of January 2020 but attackers started scanning for targets at least two weeks before.

This year Palo Alto fixed a critical security flaw (CVE-2020-2021, 10/10 severity) in firewalls running GlobalProtect PAN-OS that allowed bypassing authentication when Security Assertion Markup Language (SAML) was active.

An exploit for the BlueGate issues in Windows Remote Desktop Gateway (CVE-2020-0609 and CVE-2020-0610, both with a severity score of 9.8) has been demonstrated in January, with details for achieving remote code execution disclosed later.

“Threat actors are taking note, realizing these security flaws, invisible to security teams, are inroads for an attack” - RiskIQ

The researchers say that monitoring these new assets and the issues they’re vulnerable to requires “new type of technology that looks at an organization's digital presence from the outside-in.”

Even if fixes are available for security issues in these critical devices, attackers will keep scanning for vulnerable targets because they know that companies have a time to patch that represents a window of opportunity. Sometimes, it may take months until updates are applied.