Canadian Centre for Cyber Security Calls Organizations to Patch VPN Devices

The Canadian Centre for Cyber Security has released an alert to organizations using VPN devices, in particular, Fortinet Fortigate VPN, Palo Alto GlobalProtect VPN and Pulse Connect Secure and Pulse Policy Secure VPN, to keep these internet-facing VPN devices up to date with the latest patches.

“Due to the fact that VPN devices are typically Internet-facing, it is of the utmost importance that they be kept up to date with the latest patches,” the Canadian Centre for Cyber Securitysaid in a statement. Unpatched Fortinet Fortigate VPN, Palo Alto GlobalProtect VPN and Pulse Connect Secure and Pulse Policy Secure VPN, the Canadian Centre for Cyber Security said, have known security vulnerabilities.

For Fortinet Fortigate VPN, the following are the known vulnerabilities: CVE-2018-13382 vulnerability could allow an unauthenticated attacker to change the password of an SSL VPN web portal user; CVE-2018-13379 vulnerability could allow an unauthenticated attacker to download files; CVE-2018-13380 vulnerability could allow cross-site scripting – a vulnerability that enables attackers to inject malicious scripts into web pages viewed by other users; and CVE-2018-13383 vulnerability could cause the SSL VPN web service termination for logged in users or potential remote code execution.

For Palo Alto GlobalProtect VPN, CVE-2019-1579 vulnerability could allow an unauthenticated remote attacker to execute arbitrary code. For Pulse Connect Secure and Pulse Policy Secure VPN, the vulnerability CVE-2019-11510 could allow a remote, unauthenticated actor to view cached plaintext user passwords and other sensitive information.

The VPN devices that form part of the latest security alert from the Canadian Centre for Cyber Security all belong to a type of VPN called SSL, which stands for Secure Sockets Layer (SSL). An SSL VPN is a black box often used by organizations of all sizes to protect organizations’ assets from internet exposure.

Researchers at DEVCOREdiscovered the above-mentioned security vulnerabilities on Palo Alto, Fortigate and Pulse Secure SSL VPN devices. During the recently concluded Black Hat USA 2019 Conference, DEVCORE researchers presented their discoveries. At the Conference, the researchers said that SSL VPN devices are important corporate assets but a “blind-spot”.

The researchers also posted a series of blog posts detailing the extent of the vulnerabilities discovered. Prior to going public, however, about their findings, the researchers at DEVCORE disclosed their findings to the affected SSL VPN vendors for the said vendors to release the necessary fixes and security advisories.

From April 2019 to May 2019 Fortinetreleased the security fixes for the affected Fortinet Fortigate VPN devices and it also issued security advisories during this period, calling affected customers to apply the security fixes. Palo Alto Networks, for its part, on July 24, 2019, released an advisory calling users of affected Palo Alto GlobalProtect VPN devices to apply the security fix to the above-mentioned vulnerability, stating that the vulnerability had been fixed in prior maintenance releases.

Pulse Secure, meanwhile, on April 24, 2019, released security fixes for the affected Pulse Connect Secure and Pulse Policy Secure VPN devices. On the same day, Pulse Secure also released the security advisory calling affected customers to apply the security fixes.

Threat Actors Actively Targetting Fortinet and Pulse Secure SSL VPN Devices

According to the DEVCORE researchers, Fortigate SSL VPN is installed in more than 480,000 servers operating on the internet and prevalent among medium-sized enterprises, while Pulse Secure SSL VPN is installed in more than 50,000 servers operating on the internet and used by large corporations, service providers and government entities.

Last August 24th, Troy Mursch, the independent researcher behind Bad Packetsreported that from August 22-23, this year, threat actor or actors had scanned the internet for Pulse Connect Secure VPN endpoints vulnerable to CVE-2019-11510, a vulnerability that could allow unauthenticated attackers to access private keys and user passwords. Unauthorized access to private keys and user passwords could lead to the vulnerability officially called CVE-2019-11539, a vulnerability that could allow remote command injection and allow attackers to gain access inside private VPN networks.

Mursch said that 14,528 Pulse Secure VPN endpoints in 121 countries are vulnerable to CVE-2019-11510. The researcher added that a portion of these vulnerable Pulse Secure VPN endpoints was found in military, federal, state, and local government agencies, public universities and schools, hospitals and health care providers, electric and gas utilities, major financial institutions, media corporations and numerous Fortune 500 companies.

Since August 22, this year, security researcher Kevin Beaumontreported that Fortinet Fortigate SSL VPN endpoints that are vulnerable to CVE-2018-13379 – a vulnerability that could allow an unauthenticated attacker to download files, including usernames and passwords – have been exploited in the wild. Mursch, meanwhile, recently reported about a specific mass scanning activitywhich attempted to exploit Fortinet FortiGate SSL VPN endpoints that were vulnerable to CVE-2018-13379.

Prevention

The severity of exposing your organization’s assets via unpatched SSL VPN devices can’t of underestimated. Both Fortinet and Pulse Secure call on affected customers to immediately implement all appropriate patch updates.

Attackers are quick to weaponized known security vulnerabilities. The availability of proof-of-concept code that exploits known vulnerabilities contribute to the active targeting of certain devices. In less than 2 weeks, proof-of-concept code that could exploit Fortinet and Pulse Secure SSL VPNs have become available to the public.

It’s important to note that up to date SSL VPN devices that applied the recent patches are protected from these recent attacks. As such, it’s important to keep your organization’s SSL VPN device or devices up to date with the latest patches.

Our IT and information security experts can help your team identify and mitigate the threats before it becomes a real problem. For proactive assessment, please call us today (416) 920-3000or email sales@genx.ca