APT attackers exploit multiple VPN software vulnerabilities

Attackers exploit multiple VPN software vulnerabilities

Security experts are again warning that advanced persistent threat (APT) actors are exploiting vulnerabilities in multiple Virtual Private Network (VPN) applications.

The United Kingdom (UK) National Cyber Security Centre (NCSC) issued the alert on Wednesday and confirmed the vulnerabilities impact SSL VPN products from Pulse Secure, Palo Alto Networks and Fortinet.

An attacker could exploit the SSL VPN vulnerabilities to retrieve arbitrary files, to include those with authentication credentials.

“An attacker can use these stolen credentials to connect to the VPN and change configuration settings, or connect to further internal infrastructure,” the NCSC warned in the news release.

“Unauthorised connection to a VPN could also provide the attacker with the privileges needed to run secondary exploits aimed at accessing a root shell.”

Security experts also alerted the public of similar attacks against vulnerable VPNs back in August.

Pulse Secure vulnerabilities

The NCSC also warned that attackers are exploiting two other vulnerabilities CVE-2019-11510 and CVE-2019-11539 in Pulse Secure VPN products.

Each are summarized in the Pulse Secure advisory released in April and since updated in August 2019:

  • CVE-2019-11510: Critical severity Pre-auth arbitrary file reading vulnerability.
  • CVE-2019-11539: High severity Post-auth command injection.

Of special note, the first vulnerability sports a CVSS v3 rating of 10.0 (the highest possible).

Pulse Secure also addressed eight (8) other vulnerabilities: one Critical, five High and two Medium severity earlier this year.

Administrators and organizations should upgrade to the latest versions of Pulse Connect Secure as noted in the advisory.

Fortinet vulnerabilities

According to the NCSC, three Fortinet vulnerabilities are being exploited.

Fortinet provided updates to address these vulnerabilities between April and May of 2019:

  • CVE-2018-13379: Pre-auth arbitrary file reading.
  • CVE-2018-13382: Allows an unauthenticated attacker to change the password of an SSL VPN web portal user.
  • CVE-2018-13383: Post-auth heap overflow. This allows an attacker to gain a shell running on the router.

Administrators should upgrade to the latest versions of FortiOS as noted in each of the links provided above.

Palo Alto Networks VPN vulnerabilities

The NCSC also confirmed attackers are also exploiting one Palo Alto Networks GlobalProtect Portal vulnerability (CVE-2019-1579).

Palo Alto Networks also released security update and maintenance release that addressed the issue in July.

Finally, the NCSC recommended that organizations investigate their logs for evidence of compromise and look for suspicious connections to vulnerable URLs from impacted devices. This is especially critical of devices were not immediately patched after release.