Patch Now: Ongoing Exploitation of Known Vulnerabilities in Several VPN Products Reported
UK’s National Cyber Security Centre (NCSC) has recently issued an alert directed to both UK and international organizations about the ongoing exploitation in a number of VPN products from Pulse Secure, Fortinet and Palo Alto.
The latest security alert from the NCSC echoes an earlier security alert from the Canadian Centre for Cyber Security. According to the NCSC, the highest-impact vulnerabilities known to be exploited by malicious actors are the following:
Pulse Connect Secure:
- CVE-2019-11510: A pre-auth arbitrary file reading vulnerability that allows an unauthenticated remote attacker to download any file they want.
- CVE-2019-11539: A post-auth command injection vulnerability in which Pulse Connect Secure’s VPN admin web interface allows an authenticated attacker to inject and execute commands.
- CVE-2018-13379: A pre-auth arbitrary file reading vulnerability in which Fortinet’s VPN web portal allows an unauthenticated attacker to download system files.
- CVE-2018-13382: A vulnerability that allows an unauthenticated attacker to change the password of Fortinet’s VPN web portal user.
- CVE-2018-13383: A post-auth heap overflow vulnerability that may cause Fortinet’s VPN web service termination for logged in users.
- CVE-2019-1579: A vulnerability in Palo Alto Networks GlobalProtect Portal that allows an unauthenticated attacker to perform remote code execution.
Discovery of the VPN Vulnerabilities
The above-mentioned vulnerabilities in the VPN products of Pulse Secure, Fortinet and Palo Alto were first disclosed by security researchers at DEVCORE during the recently concluded Black Hat Conference. The researchers also wrote a 3-part blog post detailing their discoveries of the different vulnerabilities in the said 3 VPN vendors. Prior to the public disclosure, the researchers at DEVCORE said that the vulnerabilities were disclosed to Pulse Secure, Fortinet and Palo Alto and the necessary patches were rolled out.
While touching certain aspects of how to exploit the vulnerabilities that they’ve discovered, the researchers didn’t release exploits that other people can simply copy and paste to exploit these vulnerabilities. According to the DEVCORE researchers, someone publicly revealed the exploits on GitHub and exploit-db, enabling malicious actors to simply copy and paste these exploits to further their malicious acts.
“Honestly, we couldn’t say they are wrong [in publicly releasing the exploits], because the bugs are absolutely fixed several months ago, and they spent their time differing/reversing/reproducing,” the DEVCORE researchers said. “But it’s indeed a worth discussing question to the security community: if you have a nuclear level weapon, when is it ready for public disclosure?”
When the DEVCORE researchers reported the VPN vulnerability to Palo Alto, the company’s response was that this vulnerability was internally known and patched by the company prior to the discovery by the researchers. Despite the available patch, some organizations, however, didn’t apply this patch. For failing to apply Palo Alto’s patch, the DEVCORE researchers reported that they were able to hack into Uber’s system and reported this incident via the company’s bug bounty program.
In response to the report, DEVCORE researchers said, Uber took the right step in fixing the vulnerability. Uber, meanwhile said, that the vulnerability discovered by the DEVCORE researchers was “low” as the Palo Alto SSL VPN isn’t the same as the primary VPN which is used by the majority of its employees and that the SSL VPN was hosted in the cloud as opposed to its core infrastructure, making outsiders unable to “access any of our internal infrastructure or core services”.
In the case of the vulnerabilities discovered by the DEVCORE researchers in Pulse Secure’s SSL VPN, the researchers were indeed the first who discovered the vulnerabilities. They reported the vulnerabilities to Pulse Secure and allowed the company time to release patches to fix the vulnerabilities before publicly disclosing the said vulnerabilities. Pulse Secure patched all the reported vulnerabilities on April 24, 2019.
In a blog post dated September 2, 2019, the DEVCORE researchers said that they were able to gain initial access on Twitter’s intranet and perform remote code execution as Twitter failed to apply Pulse Secure’s available SSL VPN patches. As described by the DEVCORE researchers, hacking Twitter’s intranet wasn’t an easy task as after initially accessing the system via the company’s failure to apply the patches, they were blocked by 2-factor authentication and a series of other security measures implemented by Twitter. The researchers, however, were able to defeat these series of blocking measures and reported their findings to Twitter via the company’s bug bounty program.
Bad Packets reported that in August 2019 it detected opportunistic mass scanning activity targeting Pulse Connect Secure VPN server endpoints vulnerable to CVE-2019-11510. Targeted organizations, Bad Packets reported, were numerous Fortune 500 companies and government agencies, public universities and schools, hospitals and health care providers and financial institutions. In August 2019, security researcher Kevin Beaumont, meanwhile, reported that Fortigate Fortinet SSL VPN was being exploited in the wild.
Preventive and Mitigating Measures
According to the DEVCORE researchers, the ones that discovered these SSL VPN vulnerabilities, getting a valid Client-Side Certificate is one of the effective methods in preventing these exploitations. “Without a valid certificate, the malicious connection will be dropped during SSL negotiation,” the researchers said.
It’s also important to protect your organization’s SSL VPN with 2-factor authentication. While 2-factor authentication isn’t a guarantee that attackers can’t gain access into your organization’s system, breaking this 2-factor authentication adds another layer of protection and decreases numerous attack surface.
Keeping your organization’s SSL VPN up to date by applying the latest patch is another preventive measure against the reported ongoing SSL VPN exploitation as all the vulnerabilities exploited have available patches from the concerned SSL VPN vendors.
When you need help with proactive, timely patching of your IT systems, our experts are ready to help. Call today (416) 920-3000 or email us at firstname.lastname@example.org