The vulnerabilities were made public during a talk titled “Infiltrating Corporate Intranet Like NSA: Pre-auth RCE on Leading SSL VPNs” that contained details regarding numerous bugs in multiple enterprise VPN products. However, the recent attacks were aimed at just two VPN products detailed in the talk; Pulse Secure VPN and Fortinet’s FortiGate VPN.
While the talk given by security researchers at Devcore may have given the attackers some insight into the flaws, it is more likely that the technical details and proof-of-concept code included in a blog post by the company published after Black Hat was used to launch the attacks.
The blog post included details and demo code for a number of vulnerabilities in Pulse Secure VPN and FortiGate VPN but the attackers chose to exploit CVE-2019-11510 which affects Pulse Secure and CVE-2018-13379 which affects FortiGate. Both of these vulnerabilities are “pre-authentication file reads” and can be used by hackers to retrieve files from a targeted system without having to authenticate.
Enterprise VPN vulnerabilities
According to security researchers from Bad Packets, the hackers are scanning the internet for vulnerable devices and are then retrieving system password files from Pulse Secure VPNS and VPN session files from Fortinet’s FortiGate. These files allow attackers to authenticate on the devices or to fake an active VPN session.
In a recent blog post, Bad Packets revealed that there are almost 42,000 Pulse Secure VPN systems available online and almost 14,500 of which have not been patched. The number of FortiGate VPNs online is also believed to be in the hundreds of thousands but there are no exact stats on how many unpatched systems are still vulnerable to attacks.
Patches for both enterprise VPNs have been available for months with Pulse releasing a patch in April and Fortinet releasing a patch in May. However, customers failed to update their VPNs when these patches were released and now they’re paying the price.
Customers of both companies are being advised to patch their software as soon as possible since these expensive enterprise-grade VPN products are typically used to protect access to highly-sensitive networks. For instance, Bad Packets found Pulse Secure VPNs on the networks of US military and government agencies, public universities and schools, hospitals and health care providers, major financial institutions and many Fortune 500 companies.
- We’ve also highlighted the best VPN services of 2019