We present a User Impersonation Attack in multiple SSL VPNs, including Cisco, Palo Alto, Fortinet, SonicWall. Our attack allows the attacker to bypass any intended firewall and routing rules and therefore able to explore freely within an SSL VPN-protected network without restrictions, while being connected from the Internet. We dubbed this attack “VPN Gremlin” as if a gremlin has tampered with the intended firewalling and routing rules. We will also present our research behind this vulnerability which includes our analysis and reverse engineering of network firewalling and routing mechanisms of popular SSL VPNs.

Our findings stemmed from our research focused on multiple major SSL VPN implementations, as vendors has saw rapid expansion during the rise of need of teleworking, yet it’s another example of “security through obscurity” as breach incidents around SSL VPN gateways are unusual. We, however, are also astonished by the fact that we can demonstrate our attack using the same method on four different vendors.

We intend to shed light again by diving into implementation of routing and firewall rules on different vendors, from firmware extraction to reverse engineering of its networking stack and will demonstrate our methodology of fuzzing its VPN tunneling implementations. We will also demonstrate our (to-be open-sourced) tools for testing multiple SSL VPN tunneling protocols.