Recently disclosed vulnerabilities affecting enterprise virtual private network (VPN) products from Fortinet and Pulse Secure have been exploited in the wild, a researcher reported on Thursday.
Researcher Kevin Beaumont said he spotted attempts to exploit the flaws via BinaryEdge. The targeted security holes are CVE-2018-13379, a high-risk path traversal vulnerability in the FortiOS SSL VPN web portal, and CVE-2019-11510, a critical arbitrary file read vulnerability in Pulse Connect Secure.
Both vulnerabilities allow remote, unauthenticated attackers to access arbitrary files on the targeted systems.
Details of the flaws were first disclosed in July by Orange Tsai and Meh Chang of the research team at security consulting firm DEVCORE. The duo discovered many serious vulnerabilities in Fortinet, Palo Alto Networks and Pulse Secure products, and warned that they could be exploited by attackers to infiltrate corporate networks, obtain sensitive information, and eavesdrop on communications.
The researchers also discussed their findings at the Black Hat and DEFCON conferences earlier this month. Several proof-of-concept (PoC) exploits were made public after their presentations.
In Pulse Secure products, the experts found a total of 7 vulnerabilities, including ones that could be combined to achieve remote code execution. Five security holes were found in the FortiGate SSL VPN, including two that could be chained for remote code execution.
The impacted vendors released patches and advisories before the details of the vulnerabilities were made public.
According to Beaumont, CVE-2018-13379 is easy to exploit and it allows an attacker to obtain administrator credentials in plain text. The expert says there are nearly half a million IP addresses associated with Fortinet devices visible online.
The first exploitation attempts against Fortinet systems were spotted by Beaumont on August 21 and against Pulse Secure systems on August 22. While so far it appears that someone is only scanning the internet for vulnerable systems, that could change at any time and more malicious payloads may pop up.
Pulse Secure told SecurityWeek that the flaws have been patched since April and customers who have deployed the fix are not vulnerable.
“Pulse Secure publicly provided a patch fix on April 24, 2019 to be immediately applied to the Pulse Connect Secure (VPN). Commencing that day in April, we informed our customers and service providers of the availability and need for the patch as per our Security Advisory– SA44101,” Pulse Secure said.
It added, “Since then, Pulse Secure has notified customers and our reseller partners about the Security Advisory through multiple email notifications and support portal alerts, as well as directly by our customer success managers. Pulse Secure customers have been downloading and applying the patch since its availability on April 24th, 2019. At the time that Pulse Secure developed and released the patch fix, we were not aware of any exploit of this vulnerability.”
SecurityWeek has reached out to Fortinet as well and will update this article if the company responds.
*updated with comments from Pulse Secure