Hackers are targeting vulnerable VPN products from Pulse Secure and Fortinet that pose risks to enterprise networks.
Hackers are targeting unpatched virtual private network (VPN) products, to include Pulse Secure’s SSL VPN and Fortinet’s Fortigate SSL VPN. Organizations use popular SSL VPNs like these to allow employee remote access connectivity to the enterprise network.
Both Pulse Secure and Fortinet issued patches to update vulnerabilities in April and May, respectively. However, it didn’t take along before hackers started scanning and targeting the unpatched devices.
Scanning vulnerable Pulse Secure VPNs
Researchers from Bad Packets detected over the weekend “mass scanning” of 14,500 Pulse Secure (Pulse Connect Secure) VPN devices vulnerable to CVE-2019-11510.
An unauthenticated remote attacker could exploit the arbitrary file reading vulnerability to steal sensitive data, such as private keys and user passwords. To make matters worse, the attackers could then pivot to take advantage of other unpatched vulnerabilities.
“Further exploitation using the leaked credentials can lead to remote command injection (CVE-2019-11539) and allow attackers to gain access inside the private VPN network,” the researchers added in a blog post.
Devcore researchers Meh Chang and Orange Tsai previously released their findings on the VPN vulnerabilities earlier this month at Black Hat USA 2019. To add, they also provided PoC exploit details for the Fortigate issue and warned Pulse Secure with also soon be released.
In the blog post, the researchers describe the following vulnerabilities (along with exploit code):
- CVE-2018-13379: Pre-auth arbitrary file reading
- CVE-2018-13380: Pre-auth XSS
- CVE-2018-13381: Pre-auth heap overflow
- CVE-2018-13382: The magic backdoor
- CVE-2018-13383: Post-auth heap overflow
The researchers discovered similar issues with Palo Alto Network’s GlobalProtect VPN product just last month as well.
VPN vulnerability mitigations
Organizations should review Pulse Secure’s “Out-of-Cycle Advisory” (SA44101 – 2019-04) for multiple vulnerability fixes. Those include: CVE-2019-11510, CVE-2019-11508, CVE-2019-11540, CVE-2019-11543, CVE-2019-11541, CVE-2019-11542, CVE-2019-11539, CVE-2019-11538, CVE-2019-11509 and CVE-2019-11507.
Finally, Fortinet’s updates include patches for previously described vulnerabilities, to include the arbitrary file reading bug CVE-2018-13379.