.png)
Attackers are taking advantage of recently released vulnerability details and PoC exploit code to extract private keys and user passwords from vulnerable Pulse Connect Secure SSL VPN and Fortigate SSL VPN installations.
About the vulnerabilities
Attackers have been scanning for and targeting two vulnerabilities:
- CVE-2019-11510, an arbitrary file reading vulnerability in Pulse Connect Secure
- CVE-2018-13379, a path traversal flaw in the FortiOS SSL VPN web portal.
Both vulnerabilities can be exploited remotely by sending a specially crafted HTTPS request, don’t require authentication, and allow attackers to download files/extract sensitive information from the vulnerable servers.
Fixes exist for both: Pulse Secure released them in April and Fortinet in May, months before Devcore researchers Meh Chang and Orange Tsai shared their discovery with the audience at Black Hat USA 2019.
The researchers also released technical details and PoC exploit code for the Fortigate flaw earlier this month and plan to do the same for the Pulse Secure one soon.
Since then, additional exploits for both have been published on GitHub (1, 2).
Active scanning and exploitation attempts
It didn’t take long for attackers to try and take advantage of the published material and exploits.
Cyber threat intelligence firm Bad Packets has warned on Friday about mass scanning activity aimed at vulnerable Pulse Connect Secure endpoints. As the scanning continues and ramps up, they’ve pointed out that there are still nearly 15,000 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510 out there.
“2,535 unique autonomous systems (network providers) were found to have vulnerable Pulse Secure VPN endpoints on their network. We’ve discovered this vulnerability currently affects U.S. military, federal, state, and local government agencies, public universities and schools, hospitals and health care providers, electric utilities, major financial institutions, and numerous Fortune 500 companies,” they shared.
Researcher Kevin Beaumont also flagged attacks against Fortigate servers:
Fortigate Fortinet SSL VPN is being exploited in the wild since last night at scale using 1996 style ../../ exploit – if you use this as a security boundary, you want to patch ASAP https://t.co/IaBSqZJ9iS
— Kevin Beaumont (@GossiTheDog) August 22, 2019
What to do?
Obviously, there is no time to waste: admins are advised to update their vulnerable Pulse Connect Secure SSL VPN and Fortigate SSL VPN installations as soon as possible.
By exploiting these vulnerabilities, attackers can acquire credentials that would allow them to gain access to sensitive enterprise networks.
from Help Net Security https://ift.tt/2Zf0lGs
0 comments:
Post a Comment