7 Common Vulnerabilities and Exposures That Threaten Traditional Firewalls

Traditional firewalls are among the most commonly deployed—and relied upon—layers of defense in OT network cybersecurity strategies. However, the belief that simply having a firewall guarantees security is a misconception. Firewalls, though designed to be gatekeepers, are not immune to vulnerabilities.

Let's discuss seven specific instances where the presence of a firewall, though perceived as the linchpin of a security strategy, inadvertently became a route for threat actors to gain unauthorized access to a network.

What is a Common Vulnerability and Exposure (CVE)?

A CVE is a standardized identifier for a security vulnerability or weakness in software, hardware, or firmware. CVEs are used to uniquely identify and track these vulnerabilities, making it easier for organizations, security researchers, and vendors to share information about security issues and coordinate their efforts to mitigate them.

7 Notable CVEs That Impacted Firewalls

CVE-2020-3580

Description: A vulnerability identified in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software.

Potential Damage: This vulnerability could allow an unauthenticated, remote attacker to perform directory traversal attacks, enabling them to read sensitive files on a targeted system.

CVE-2019-1579

Description: A flaw was found in Palo Alto Networks PAN-OS before 8.1.10. and 9.0.0.

Potential Damage: Remote attackers could leverage this vulnerability to execute arbitrary OS commands, potentially taking full control of the affected system.

CVE-2018-6721

Description: A vulnerability discovered in SonicWall's SonicOS.

Potential Damage: Remote attackers could exploit this vulnerability to cause a denial of service (DoS) via specially crafted fragmented packets, impacting system availability.

CVE-2017-5638

Description: A vulnerability in Apache Struts 2 versions before 2.3.32 and 2.5.x before 2.5.10.1.

Potential Damage: This allowed attackers to execute Remote Command Execution attacks through a crafted Content-Type value, potentially leading to data breaches or further network exploitation.

CVE-2016-0801

Description: A vulnerability identified in Cisco ASA Software running on certain Cisco ASA products.

Potential Damage: Remote attackers could exploit this vulnerability to execute arbitrary code or to cause a system to reload, potentially leading to system compromise or downtime.

CVE-2014-0160 (Heartbleed)

Description: A severe vulnerability in the OpenSSL TLS Heartbeat Extension.

Potential Damage: The Heartbleed bug allowed attackers to read the memory of systems protected by vulnerable versions of OpenSSL, potentially leading to the leak of sensitive information like passwords, private keys, and more.

CVE-2012-4681

Description: A vulnerability affecting Oracle Java 7 before Update 7.

Potential Damage: Allowed attackers to remotely execute arbitrary code via vectors related to the Reflection API, potentially leading to system compromise.

Uncompromising OT Network Security

Traditional firewalls continue to be instrumental in shaping organizations’ OT security framework and understanding and addressing their inherent vulnerabilities remains crucial. But it is evident that, while firewalls are by no means obsolete, relying on their protection alone does not provide adequate protection against emerging threats. Building a true, defense-in-depth strategy centered around a Unidirectional Security Gateway or Data Diode in your DMZ ensures data can traverse strictly in one direction. This physical enforcement means that data can be sent out without any threat of malicious data or commands entering in return. In this case, even if a software vulnerability existed, the physical nature of these security gateways enforces a perimeter of defense against the threat, isolating your network from exposure.

OPSWAT NetWall: Next-Level Security Gateway and Optical Diode

OPSWAT has developed NetWall, series of advanced security gateways and optical diodes, to protect critical OT environments from the evolving threat landscape. Available in a variety of configurations and form-factors, NetWall is designed to simplify the complexities of network security as an easy-to-use, scalable, and secure solution.

OPSWAT NetWall is trusted globally to defend some of the world’s most critical environments.

Receive a personal consultation on OPSWAT solutions from certified Softprom specialists.

Softprom – Value Added Distributor of OPSWAT.