Hackers Hit Unpatched Pulse Secure and Fortinet SSL VPNsVendors Issued Security Updates to Fix Severe Flaws Several Months Ago
Hackers in recent days have been hunting for SSL VPNs manufactured by both Fortinet and Pulse Secure that have yet to be updated to fix serious security flaws, security experts warn.
See Also: The Evolution of Email Security
There's been a surge in scanning attempts by attackers to locate and automatically hack these devices, exploiting known flaws that allow them to steal passwords and other sensitive data. With stolen passwords in hand, attackers can potentially gain full, remote access to organizations' networks.
The attacks come despite both vendors having released patches several months ago - Pulse Secure in April, Fortinet in May - via firmware updates that included security fixes. Both vendors warned that all customers should install the updates as quickly as possible, given the severity of the flaws. Many organizations, however, apparently have yet to install the updated software, and thus remain at elevated risk from escalating exploit attempts.
Internet scans count at least 480,000 Fortinet Fortigate SSL VPN endpoints connected to the internet, although it's unclear how many remain unpatched. But experts say that of about 42,000 Pulse Secure SSL VPN endpoints seen online, more than 14,000 of them - a majority of which are located in the United States - remain unpatched.
In recent days, reports of attacks against vulnerable Pulse Secure and Fortinet SSL VPNs have been escalating.
On Thursday, Troy Mursch of Chicago-based threat intelligence firm Bad Packets warned that his firm's honeypots had detected opportunistic, large-scale mass scanning activity by hackers looking for Pulse Secure VPN SSL servers vulnerable to CVE-2019-11510. "This arbitrary file reading vulnerability allows sensitive information disclosure enabling unauthenticated attackers to access private keys and user passwords," he said. "Further exploitation using the leaked credentials can lead to remote command injection (CVE-2019-11539) and allow attackers to gain access inside the private VPN network."
This sensitive information disclosure vulnerability allows unauthenticated attackers to access private keys and user passwords.— Bad Packets Report (@bad_packets) August 22, 2019
Further exploitation using the leaked credentials can lead to remote command injection (CVE-2019-11539).
Independent British security researcher Kevin Beaumont on Thursday also reported seeing attackers actively targeting CVE-2019-11510 in unpatched versions of Pulse Secure SSL VPN.
"Lots of companies have the basics around patching Windows and Linux down, as they have vulnerability management platforms and agents," Beaumont said. "Those don’t extend to FortiOS and Pulse Secure. So they just don’t patch as they never see [vulnerabilities]."
Target: Pulse Secure SSL VPNs
On Saturday, Mursch said that nearly 15,000 unpatched Pulse Secure VPN servers appeared to still be at risk, based on an analysis of scans he conducted using BinaryEdge, which found a total of 41,850 Pulse Secure VPN endpoints, most of which had been patched.
"Our scans found a total of 14,528 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510," Mursch says, as well as 2,535 unique networks with vulnerable devices in 121 countries.
Mursch says IP addresses of vulnerable Pulse Secure VPNs trace to:
- Major financial institutions;
- U.S. military, federal, state, and local government agencies;
- Public universities and schools;
- Hospitals and healthcare providers;
- Electric and gas utilities;
- Numerous Fortune 500 companies.
The greatest number of organizations with unpatched Pulse Secure SSL VPNs are located in the U.S. "The list of affected organizations will not be published because this critical vulnerability is easy to exploit using publicly available proof-of-concept code," Mursch said. But he noted that he has shared his findings with US-CERT and federal law enforcement agencies and will share them for free with any country's computer emergency response team.
Target: Fortigate SSL VPNs
Reports of mass scanning to identify and exploit vulnerable Fortigate SSL VPNs are also increasing. On Sunday, Beaumont reported seeing "the Fortigate SSL VPN backdoor being used in the wild" via one of his honeypots.
Just seen the Fortigate SSL VPN backdoor being used in the wild on the honeypot. Mass stuff of /remote/logincheck to change password using 4tinet* backdoor, cycling a mass list of usernames (support, admin etc)— Kevin Beaumont (@GossiTheDog) August 25, 2019
To catch it you need to serve page back via /remote/login* first.
"CVE-2018-13379 is being exploited in the wild on Fortigate SSL VPN firewalls," Beaumont says. "These [devices] exist as a perimeter security control, so it's a bad vulnerability."
Same Researchers Alerted Both Vendors
Just how widespread are such flaws in SSL VPNs? Researchers Meh Chang (@mehqq_) and Orange Tsai (@orange_8361) at Taipei City, Taiwan-based consultancy Devcore asked that question last August, given the prevalence and reliance on such equipment.
"What if this trusted equipment is insecure? It is an important corporate asset but a blind spot of corporation," they said.
In addition, they noted, among the largest 500 publicly traded U.S. companies, just three SSL VPN vendors commanded 75 percent market share. "The diversity of SSL VPN is narrow. Therefore, once we find a critical vulnerability on the leading SSL VPN, the impact is huge," they said. "There is no way to stop us because SSL VPN must be exposed to the internet."
Based on their count of recent publicly exposed common vulnerabilities and exposures in SSL VPNs, it appeared that Cisco equipment would be the riskiest to use. To test that hypothesis, the researchers began looking at SSL VPNs and found exploitable flaws in both Pulse Secure and Fortinet equipment. The researchers reported flaws to Fortinet on Dec. 11, 2018, and to Pulse Secure on March 22.
'Magic' String Unlocks Fortinet Gear
In response, Fortinet released a security advisory on May 24 and updates to fix 10 flaws, some of which could be exploited to gain full, remote access to a device and the network it was meant to be protecting. In particular, it warned that one of the flaws, "a path traversal vulnerability in the FortiOS SSL VPN web portal" - CVE-2018-13379 - could be exploited to enable "an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests."
Such FortiOS system files contain sensitive information, including passwords, meaning attackers could quickly give themselves a way to gain full access to an enterprise network.
In its security alert, Fortinet warned all users to update their firmware to FortiOS 5.4.11, 5.6.9, 6.0.5, 6.2.0 or above, to safeguard themselves. On June 4, it also detailed some temporary workarounds that could help protect organizations until they could install the patch.
In a blog post released last month, the Devcore researchers recapped their Black Hat 2019 demonstration from early August, demonstrating how the flaws they'd found in Fortinet devices could be exploited.
"In the login page, we found a special parameter called magic. Once the parameter meets a hardcoded string, we can modify any user’s password," the researchers said.
Given the large number of Fortigate SSL VPNs that still seemed to not have been patched, the researchers said that they were not going to publicly disclose the magic string. But they noted that German security consultancy Code White had also identified the underlying flaw, and they said it was certain that malicious attackers would quickly find it too. "Please update your Fortigate ASAP!" they said.
Critical vulns in #FortiOS reversed & exploited by our colleagues @niph_ and @ramoliks - patch your #FortiOS asap and see the #bh2019 talk of @orange_8361 and @mehqq_ for details (tnx guys for the teaser that got us started) pic.twitter.com/TLLEbXKnJ4— Code White GmbH (@codewhitesec) July 2, 2019
Pulse Secure Issued Patches in April
Pulse Secure, about four weeks after receiving the Devcore researchers' bug alert in March, on April 24 released updated software and urged customers to upgrade all affected products "as soon as possible." The vendor warned that exploit code had already been released, and that aside from patching, no workaround would protect systems. Subsequently, however, it has detailed workarounds, but only for two of 10 different vulnerabilities that it was patching.
"Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS)," Pulse Secure said in its April 24 alert. "This includes an authentication bypass vulnerability that can allow an unauthenticated user to perform a remote arbitrary file access on the Pulse Connect Secure gateway. This advisory also includes a remote code execution vulnerability that can allow an authenticated administrator to perform remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways. Many of these vulnerabilities have a critical CVSS score and pose significant risk to your deployment."
For the 10 flaws that Pulse Secure patched, it credited their collective discovery to Devcore's Tsai and Chang, plus Jake Valletta of FireEye, saying they'd reported the flaws to the vendor on March 22.
On Wednesday, bug hunters Alyssa Herrera and Justin Wagner created a freely available module for Metasploit, the open source penetration testing framework, that they say will exploit the "arbitrary file disclosure vulnerability" - CVE-2019-11510 - in "Pulse Secure SSL VPN versions 8.1R15.1, 8.2, 8.3, and 9.0."
This isn't the first time that serious flaws have been found and patched in enterprise-grade networking gear.
In 2016, for example, experts warned that they'd found a vulnerability in FortiGate OS - the firmware that runs its devices - that functioned as an SSH backdoor, not long after researchers had found an authentication bypass flaw in Juniper's ScreenOS firmware. At the time, Juniper warned that its code may have been tampered with. Fortinet, however, said that a code review had proved that the error was inadvertent (see: Fortinet Refutes SSH 'Backdoor' Report).