Traditional firewalls are among the most commonly deployed—and relied upon—layers of defense in OT network cybersecurity strategies. However, the belief that simply having a firewall guarantees security is a misconception. Firewalls, though designed to be gatekeepers, are not immune to vulnerabilities. In this blog, we discuss seven specific instances where the presence of a firewall, though perceived as the linchpin of a security strategy, inadvertently became a route for threat actors to gain unauthorized access to a network.
What is a CVE?
A CVE, or Common Vulnerability and Exposure, is a standardized identifier for a security vulnerability or weakness in software, hardware, or firmware. CVEs are used to uniquely identify and track these vulnerabilities, making it easier for organizations, security researchers, and vendors to share information about security issues and coordinate their efforts to mitigate them.
7 Notable CVEs That Impacted Firewalls
CVE-2020-3580
Description: A vulnerability identified in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software.
Potential Damage: This vulnerability could allow an unauthenticated, remote attacker to perform directory traversal attacks, enabling them to read sensitive files on a targeted system.
Link: CVE-2020-3580
CVE-2019-1579
Description: A flaw was found in Palo Alto Networks PAN-OS before 8.1.10. and 9.0.0.
Potential Damage: Remote attackers could leverage this vulnerability to execute arbitrary OS commands, potentially taking full control of the affected system.
Link: CVE-2019-1579
CVE-2018-6721
Description: A vulnerability discovered in SonicWall's SonicOS.
Potential Damage: Remote attackers could exploit this vulnerability to cause a denial of service (DoS) via specially crafted fragmented packets, impacting system availability.
Link: CVE-2018-6721
CVE-2017-5638
Description: A vulnerability in Apache Struts 2 versions before 2.3.32 and 2.5.x before 2.5.10.1.
Potential Damage: This allowed attackers to execute Remote Command Execution attacks through a crafted Content-Type value, potentially leading to data breaches or further network exploitation.
Link: CVE-2017-5638
CVE-2016-0801
Description: A vulnerability identified in Cisco ASA Software running on certain Cisco ASA products.
Potential Damage: Remote attackers could exploit this vulnerability to execute arbitrary code or to cause a system to reload, potentially leading to system compromise or downtime.
Link: CVE-2016-0801
CVE-2014-0160 (Heartbleed)
Description: A severe vulnerability in the OpenSSL TLS Heartbeat Extension.
Potential Damage: The Heartbleed bug allowed attackers to read the memory of systems protected by vulnerable versions of OpenSSL, potentially leading to the leak of sensitive information like passwords, private keys, and more.
Link: CVE-2014-0160
CVE-2012-4681
Description: A vulnerability affecting Oracle Java 7 before Update 7.
Potential Damage: Allowed attackers to remotely execute arbitrary code via vectors related to the Reflection API, potentially leading to system compromise.
Link: CVE-2012-4681
Uncompromising OT Network Security
Traditional firewalls continue to be instrumental in shaping organizations’ OT security framework and understanding and addressing their inherent vulnerabilities remains crucial. But it is evident that, while firewalls are by no means obsolete, relying on their protection alone does not provide adequate protection against emerging threats. Building a true, defense-in-depth strategy centered around a Unidirectional Security Gateway or Data Diode in your DMZ ensures data can traverse strictly in one direction. This physical enforcement means that data can be sent out without any threat of malicious data or commands entering in return. In this case, even if a software vulnerability existed, the physical nature of these security gateways enforces a perimeter of defense against the threat, isolating your network from exposure.
Dive Deeper: Data Diodes vs Firewalls: Comparing Network Security, Data Flow, and Compliance
MetaDefender NetWall: Next-Level Security Gateway and Optical Diode
With these kinds of vulnerabilities in mind, OPSWAT has developed NetWall, our series of advanced security gateways and optical diodes, to protect critical OT environments from the evolving threat landscape. Available in a variety of configurations and form-factors, NetWall is designed to simplify the complexities of network security as an easy-to-use, scalable, and secure solution.
Discover why NetWall is trusted globally to defend some of the world’s most critical environments
