Cybersecurity Threat Advisory 0046-19: Pulse Connect Secure VPN and FortiGate SSL VPN Vulnerable to Malicious Code Execution and Arbitrary File Reading by Remote Attackers
Researchers have discovered critical security flaws in FortiGate and Pulse Connect Virtual Private Network (VPN) systems. VPN’s are routinely used to secure online communication, such as between a remote worker’s desktop and the corporate network, and are very common in the business world. By sending specifically crafted messages to these VPN systems, an attacker could trick the VPN into allowing them to view files or even launch applications and other forms of executable code; or possibly even change passwords and perform other malicious acts.
Both FortiNET and Pulse have released patches which correct these issues earlier this year. Since applying these patches requires downtime for the VPN system, many organizations have delayed installing the patches to avoid downtime to users. Such patches should be applied immediately as threat actors have already begun to send out these specifically crafted messages to large numbers of VPN systems in an attempt to uncover any system with the flaws unpatched. While patching will require downtime, it is vital that this patch be applied as soon as possible.
Technical detail and additional information
What is the threat?
Researchers have discovered “mass scanning activity” – threat actors sending out attack packets to thousands of IP addresses at a time – targeting both Pulse Connect Secure VPN and FortiGate SSL VPN endpoints vulnerable to CVE-2019-11510and CVE-2018-13379 respectively. Patching of these endpoints has resulted in system disruptions which has led some to leave these endpoints unpatched, and therefore, vulnerable to these exploits. Realtime analysis of the events has shown the attackers viewing files from the networks and attempting to download password files from VPN servers.
Why is this noteworthy?
The security intelligence service, BadPackets, has discovered vulnerable hosts belonging to a variety of sensitive organizations, including: US military and federal agencies, public universities, hospitals and major financial institutions, with the US, Japan, and UK being the most effected countries. By exploiting the unpatched systems, attackers can gain access to these normally secure and sensitive systems.
What is the exposure or risk?
Any unpatched FortiGate SSL VPN and Pulse Connect Secure VPN servers are susceptible to the exploit. These vulnerabilities are serious because they affect the gateways to secure networks within an organization. Obtaining the information in these networks through this vulnerability can allow attackers to penetrate those networks and other networks within their organization. The vulnerabilities allow for many potential threat actions; including viewing of files, changing of passwords, and launching payloads against systems protected by the VPN.
What are the recommendations?
Patches for vulnerable FortiGate VPN became available in May 2019 and April 2019 for Pulse Secure. Any unpatched hosts should be updated with latest patches from the vendor immediately. A temporary solution to the security issue in FortiGate is to totally disable the SSL VPN service by applying commands found at https://fortiguard.com/psirt/FG-IR-18-384. However, this also disables client connectivity via SSL VPN services, potentially rendering the VPN system unusable by some or all of the clients that connect to it.
SKOUT-managed devices which include a FortiGate VPN (previous generation Collector appliances) are being updated, and customers can confirm with the Security Operations Center that those updates have been applied and/or when such updates will take place.
For more in-depth information about the recommendations, please visit the following link:
If you have any questions, please contact our Security Operations Center.
Find Trouble Before Trouble Finds You.