Rewterz Threat Alert – Vulnerable Corporate VPNs Exploited in the Wild

Severity

High

Analysis Summary

Recently, Nation-state attackers targeted vulnerable VPN servers. Vulnerabilities in VPNs of renowned global brands were exploited in these campaigns. The vulnerabilities continue to be exploited by Advanced Persistent Threat groups on a mass scale.

CVE-2019-11510

In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. This includes access to databases that the VPN server uses to track sessions, cleartext credentials, and NTLM hashes.
It should be noted that 2FA will not prevent an attacker from hijacking a valid authenticated session. Moreover, credentials stored on these databases must immediately be changed as the attackers are actively leveraging credentials to attempt to connect to other resources that may not require 2FA.

Read more on ‘How VPNs can be exploited by attackers’.

Impact

• Unauthorized network access
• Session takeover
• Remote code execution
• 2FA bypass
• Exploitation of stolen credentials

Affected Vendors

Pulse Secure

Affected Products

Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1
8.3 before 8.3R7.1
9.0 before 9.0R3.4

Remediation

• Block the threat indicators at their respective controls.
• Upgrade to a non-vulnerable version of the Pulse Secure VPN software.
• All credentials used on the system, both locally stored and from remote authentication sources, should be reset/changed immediately.
• Any multi-factor authentication API keys that may have been stored on the device should also be reset.