The US Cybersecurity and Infrastructure Security Agency (CISA) had alerted organizations to patch their Pulse Secure VPN servers as a defense against ongoing attacks trying to exploit a known remote code execution (RCE) vulnerability.
This warning follows another alert issued by CISA in October 2019, and others coming from the National Security Agency (NSA), the Canadian Centre for Cyber Security, and UK’s National Cyber Security Center (NCSC).
Suggested Remediation Measures:
1. Pulse Connect Secure
- CVE-2019-11510 – pre-auth arbitrary file reading: An unauthenticated remote attacker can craft and send a Uniform Resource Identifier (URI) to read files. This vulnerability affects Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
POC:
| CVE-2019-11510 | Exploit Database | Pulse Connect Secure |
| CVE-2019-11510 | GitHub: CVE-2019-11510-poc | Pulse Connect Secure |
- CVE-2019-11539 – post-auth command injection: The admin web interface allows an authenticated attacker to inject and execute commands. This vulnerability affects Pulse Secure PCS version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1.
How to Remediate:
If you are using Pulse Secure products for VPN, patch immediately with the linked solution to mitigate these 2 vulnerabilities (and 8 more).
2. Fortinet FortiOS
- CVE-2018-13379 – pre-auth arbitrary file reading: A path traversal vulnerability under SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests. This vulnerability affects Fortinet FortiOS 6.0.0 to 6.0.4 and 5.6.3 to 5.6.7.
POC:
| CVE-2018-13379 | GitHub: CVE-2018-13379 | FortiGate SSL VPN |
| CVE-2018-13379 | Exploit Database | FortiGate SSL VPN |
- CVE-2018-13382 – this vulnerability allows an unauthenticated attacker to change the password of an SSL VPN web portal user via specially crafted HTTP requests. This vulnerability affects Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8, and 5.4.1 to 5.4.10.
- CVE-2018-13383 – post-auth heap overflow: This allows an attacker to gain a shell running on the router. A heap buffer overflow in the SSL VPN web portal can terminate SSL VPN web service for logged-in users due to a failure to properly handle Javascript href data when proxying web pages. Affects all Fortinet FortiOS versions below 6.0.5.
POC:
| CVE-2018-13379, CVE-2018-13383 | Blog from Meh Chang and Orange Tsai | FortiGate SSL VPN |
How to Remediate:
To mitigate the risk, apply the patches from the Fortinet advisory to your Fortiner products.
| Fortinet Advisory | Affected Versions | Patch Date |
| CVE-2018-13379 (FG-IR-18-384) | FortiOS 6.0.0 – 6.0.4 FortiOS 5.6.3 – 5.6.7 | 5/24/19 |
| CVE-2018-13380 (FG-IR-18-383) | FortiOS 6.0.0 – 6.0.4 FortiOS 5.6.0 – 5.6.7 FortiOS <= 5.4 | 5/24/19
|
| CVE-2018-13381 (FG-IR-18-387) | FortiOS 6.0.0 – 6.0.4 FortiOS 5.6.0 – 5.6.7 FortiOS <= 5.4 | 5/24/19
|
| CVE-2018-13382 (FG-IR-18-389) | FortiOS 6.0.0 – 6.0.4* FortiOS 5.6.0 – 5.6.8* FortiOS 5.4.1 – 5.4.10* | 5/24/19
|
| CVE-2018-13383 (FG-IR-18-388) | FortiOS 6.0.0 – 6.0.4 FortiOS <= 5.6.10 | 4/2/19 |
* Vulnerable only when SSL VPN service is enabled.
3. Palo Alto GlobalProtect Portal
- CVE-2019-1579 – RCE might allow an unauthenticated remote attacker to execute arbitrary code. This vulnerability affects PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier with GlobalProtect Portal or GlobalProtect Gateway Interface enabled.
POC: https://github.com/securifera/CVE-2019-1579/blob/master/CVE-2019-1579_8.0.7_mips.py
How to Remediate:
Upgrade the product to non-vulnerable versions “Affected version Fixed version PAN-OS 7.1.18 and earlier PAN-OS 7.1.19 and later PAN-OS 8.0.11 and earlier PAN-OS 8.0.12 and later PAN-OS 8.1.2 and earlier PAN-OS 8.1.3 and later. This vulnerability does not impact PAN-OS 9.0.
Vendor advisory: https://securityadvisories.paloaltonetworks.com/Home/Detail/158
Mitigating Risk From Enterprise VPN
In order to mitigate risk from enterprise VPN, the following best-practices should be followed:
- Review the VPN log files for evidence of compromised accounts in active use.
- Look for connections in odd times and other unusual events that may require further investigation.
- Ensure that you can patch and maintain the remote access.
- Add multi-factor authentication (MFA) when using VPN.
- Review the end-user license agreements and examine the reviews before purchasing a VPN solution. Ask around to trusted forums for advice and guidance on VPN solutions.
- Make sure you can update and service the application even on remote locations.
- Provide guidance and education to users on how to properly use VPN.
