Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Pulse Secure Says Majority of Customers Patched Exploited Vulnerability

Pulse Secure and Fortinet Take Steps to Protect Customers Against Attacks Exploiting Recently Disclosed Vulnerabilities

Pulse Secure and Fortinet Take Steps to Protect Customers Against Attacks Exploiting Recently Disclosed Vulnerabilities

[UPDATE BELOW] Hackers continue to look for Pulse Secure and Fortinet devices affected by recently disclosed flaws, but Pulse Secure says a majority of its customers are no longer vulnerable and Fortinet has released FortiGuard signatures that should block attacks.

The vulnerabilities were first disclosed in July by Orange Tsai and Meh Chang of the research team at security consulting firm DEVCORE. They found several serious weaknesses in enterprise VPN products from Fortinet, Palo Alto Networks and Pulse Secure, and warned that they could be exploited to infiltrate corporate networks, obtain sensitive information, and eavesdrop on communications.

The researchers also detailed their findings at the Black Hat and DEFCON conferences, and several proof-of-concept (PoC) exploits were made public after their presentations.

A few weeks after details of the vulnerabilities were made public, some security experts spotted attempts to exploit CVE-2018-13379, a path traversal vulnerability in the FortiOS SSL VPN web portal, and CVE-2019-11510, an arbitrary file read vulnerability in Pulse Connect Secure. The exploitation attempts were mostly part of scanning activity whose goal was to identify vulnerable systems.

Bad Packets reported on August 25 that a search revealed over 14,000 vulnerable Pulse Secure VPN endpoints hosted by more than 2,500 organizations, including in the government, military, educational, financial, media, and energy sectors. A majority of the impacted entities were in the United States, followed by Western Europe and Japan.

Bad Packets warned that attackers can exploit CVE-2019-11510 to access files containing private keys and user passwords, which could further allow them to execute arbitrary commands and provide them access to VPN networks.

However, Pulse Secure, which released a patch for the vulnerability in April 2019, says it has “worked aggressively” with customers to ensure that they deploy the fix. The company told SecurityWeek that a majority of its customers have applied the patch and are no longer vulnerable.

“We cannot verify that the vulnerable server count as depicted by Bad Packets are at-risk exposures, but we can confirm that the majority of our customers have applied the patch. For example, some of the unpatched appliances that were discovered are test appliances and lab units that are typically isolated and not in production. However, Pulse Secure strongly recommends that customers apply the patch fix to all of their appliances as soon as possible,” Pulse Secure said via email.

The company added, “We are continuing to reach out to customers and partners that have not applied the patch fix and requesting that they do so immediately. In addition to prior email, in product and support web site notifications, Pulse Secure support engineers are available 24×7, including weekends and holidays, to help customers who need assistance to apply the patch fix. We are also offering assistance to customers to patch for these vulnerabilities even if they are not under an active maintenance contract.”

Fortinet released a blog post on August 28 to alert customers of the risk posed by three of the vulnerabilities discovered by Orange Tsai and Meh Chang. The company patched the flaws, tracked as CVE-2018-13379, CVE-2018-13383, and CVE-2018-13382, with FortiOS updates released in April and May. It has also issued FortiGuard signatures that should block attempts to exploit the vulnerabilities.

Bad Packets warned on Thursday that attackers have been trying to download usernames and passwords from Fortinet devices using CVE-2018-13379.

When the first exploitation attempts against CVE-2018-13379 were spotted, researcher Kevin Beaumont also pointed to CVE-2018-13382, another serious vulnerability discovered by the DEVCORE researchers in the Fortinet SSL VPN appliance. Beaumont said the vulnerability resembled a backdoor as there was a parameter called “magic” that allowed anyone to reset a user’s password for the SSL VPN portal remotely.

CVE-2018-13382 does not appear to have been targeted in attacks, but proof-of-concept (PoC) code is available.

Fortinet has now clarified that the problematic code was created for a specific customer, but it was inadvertently bundled into the general FortiOS release. The company has removed the code from new FortiOS code base and issued a signature to block exploitation.

UPDATE. Bad Packets and others believe Pulse Secure’s claims are misleading. Bad Packets has provided the following statement to SecurityWeek: 

[Pulse Secure’s statement] undermines ongoing efforts by multiple U.S. federal agencies and government CERT teams around the world. In addition, such statements downplay the risks presented by this critical vulnerability that can lead to the spread of ransomware on sensitive networks. Multiple parties have verified the scan results provided by Bad Packets and we’re still actively working to notify organizations that remain vulnerable to immediate compromise.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.