Pulse Secure and Fortinet Take Steps to Protect Customers Against Attacks Exploiting Recently Disclosed Vulnerabilities
[UPDATE BELOW] Hackers continue to look for Pulse Secure and Fortinet devices affected by recently disclosed flaws, but Pulse Secure says a majority of its customers are no longer vulnerable and Fortinet has released FortiGuard signatures that should block attacks.
The vulnerabilities were first disclosed in July by Orange Tsai and Meh Chang of the research team at security consulting firm DEVCORE. They found several serious weaknesses in enterprise VPN products from Fortinet, Palo Alto Networks and Pulse Secure, and warned that they could be exploited to infiltrate corporate networks, obtain sensitive information, and eavesdrop on communications.
The researchers also detailed their findings at the Black Hat and DEFCON conferences, and several proof-of-concept (PoC) exploits were made public after their presentations.
A few weeks after details of the vulnerabilities were made public, some security experts spotted attempts to exploit CVE-2018-13379, a path traversal vulnerability in the FortiOS SSL VPN web portal, and CVE-2019-11510, an arbitrary file read vulnerability in Pulse Connect Secure. The exploitation attempts were mostly part of scanning activity whose goal was to identify vulnerable systems.
Bad Packets reported on August 25 that a search revealed over 14,000 vulnerable Pulse Secure VPN endpoints hosted by more than 2,500 organizations, including in the government, military, educational, financial, media, and energy sectors. A majority of the impacted entities were in the United States, followed by Western Europe and Japan.
Bad Packets warned that attackers can exploit CVE-2019-11510 to access files containing private keys and user passwords, which could further allow them to execute arbitrary commands and provide them access to VPN networks.
However, Pulse Secure, which released a patch for the vulnerability in April 2019, says it has “worked aggressively” with customers to ensure that they deploy the fix. The company told SecurityWeek that a majority of its customers have applied the patch and are no longer vulnerable.
“We cannot verify that the vulnerable server count as depicted by Bad Packets are at-risk exposures, but we can confirm that the majority of our customers have applied the patch. For example, some of the unpatched appliances that were discovered are test appliances and lab units that are typically isolated and not in production. However, Pulse Secure strongly recommends that customers apply the patch fix to all of their appliances as soon as possible,” Pulse Secure said via email.
The company added, “We are continuing to reach out to customers and partners that have not applied the patch fix and requesting that they do so immediately. In addition to prior email, in product and support web site notifications, Pulse Secure support engineers are available 24×7, including weekends and holidays, to help customers who need assistance to apply the patch fix. We are also offering assistance to customers to patch for these vulnerabilities even if they are not under an active maintenance contract.”
Fortinet released a blog post on August 28 to alert customers of the risk posed by three of the vulnerabilities discovered by Orange Tsai and Meh Chang. The company patched the flaws, tracked as CVE-2018-13379, CVE-2018-13383, and CVE-2018-13382, with FortiOS updates released in April and May. It has also issued FortiGuard signatures that should block attempts to exploit the vulnerabilities.
Bad Packets warned on Thursday that attackers have been trying to download usernames and passwords from Fortinet devices using CVE-2018-13379.
When the first exploitation attempts against CVE-2018-13379 were spotted, researcher Kevin Beaumont also pointed to CVE-2018-13382, another serious vulnerability discovered by the DEVCORE researchers in the Fortinet SSL VPN appliance. Beaumont said the vulnerability resembled a backdoor as there was a parameter called “magic” that allowed anyone to reset a user’s password for the SSL VPN portal remotely.
CVE-2018-13382 does not appear to have been targeted in attacks, but proof-of-concept (PoC) code is available.
Fortinet has now clarified that the problematic code was created for a specific customer, but it was inadvertently bundled into the general FortiOS release. The company has removed the code from new FortiOS code base and issued a signature to block exploitation.
UPDATE. Bad Packets and others believe Pulse Secure’s claims are misleading. Bad Packets has provided the following statement to SecurityWeek:
“[Pulse Secure’s statement] undermines ongoing efforts by multiple U.S. federal agencies and government CERT teams around the world. In addition, such statements downplay the risks presented by this critical vulnerability that can lead to the spread of ransomware on sensitive networks. Multiple parties have verified the scan results provided by Bad Packets and we’re still actively working to notify organizations that remain vulnerable to immediate compromise.”