Attackers are taking advantage of recently released vulnerability details and PoC exploit code to extract private keys and user passwords from vulnerable Pulse Connect Secure SSL VPN and Fortigate SSL VPN installations.
About the vulnerabilities
Attackers have been scanning for and targeting two vulnerabilities:
- CVE-2019-11510, an arbitrary file reading vulnerability in Pulse Connect Secure
- CVE-2018-13379, a path traversal flaw in the FortiOS SSL VPN web portal.
Both vulnerabilities can be exploited remotely by sending a specially crafted HTTPS request, don’t require authentication, and allow attackers to download files/extract sensitive information from the vulnerable servers.
Fixes exist for both: Pulse Secure released them in April and Fortinet in May, months before Devcore researchers Meh Chang and Orange Tsai shared their discovery with the audience at Black Hat USA 2019.
The researchers also released technical details and PoC exploit code for the Fortigate flaw earlier this month and plan to do the same for the Pulse Secure one soon.
Since then, additional exploits for both have been published on GitHub (1, 2).
Active scanning and exploitation attempts
It didn’t take long for attackers to try and take advantage of the published material and exploits.
Cyber threat intelligence firm Bad Packets has warned on Friday about mass scanning activity aimed at vulnerable Pulse Connect Secure endpoints. As the scanning continues and ramps up, they’ve pointed out that there are still nearly 15,000 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510 out there.
“2,535 unique autonomous systems (network providers) were found to have vulnerable Pulse Secure VPN endpoints on their network. We’ve discovered this vulnerability currently affects U.S. military, federal, state, and local government agencies, public universities and schools, hospitals and health care providers, electric utilities, major financial institutions, and numerous Fortune 500 companies,” they shared.
Researcher Kevin Beaumont also flagged attacks against Fortigate servers:
Fortigate Fortinet SSL VPN is being exploited in the wild since last night at scale using 1996 style ../../ exploit – if you use this as a security boundary, you want to patch ASAP https://t.co/IaBSqZJ9iS
— Kevin Beaumont (@GossiTheDog) August 22, 2019
What to do?
Obviously, there is no time to waste: admins are advised to update their vulnerable Pulse Connect Secure SSL VPN and Fortigate SSL VPN installations as soon as possible.
By exploiting these vulnerabilities, attackers can acquire credentials that would allow them to gain access to sensitive enterprise networks.
UPDATE (August 28, 2019, 3:04 a.m. PT):
Scott Gordon, CMO at Pulse Secure, told Help Net Security that they have worked aggressively with their customers to deploy the patch fix made available in April.
“We cannot verify that the vulnerable server count as depicted by Bad Packets are at-risk exposures, but we can confirm that the majority of our customers have applied the patch. For example, some of the unpatched appliances that were discovered are test appliances and lab units that are typically isolated and not in production,” he said.
“However, Pulse Secure strongly recommends that customers apply the patch fix to all of their appliances as soon as possible. We are continuing to reach out to customers and partners that have not applied the patch fix and requesting that they do so immediately. Customers (or their Managed Service Provider) must install the patch fix on the Pulse Secure Appliance (physical or virtual) and then re-boot the appliance.”
The company’s support engineers can help customers who need assistance when it comes to applying this fix and fixes for other vulnerabilities, “even if they are not under an active maintenance contract.”