US-CERT- AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability

Started by Netwörkheäd, January 20, 2020, 06:14:03 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Netwörkheäd

January 20, 2020, 06:14:03 PM
AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability

Original release date: January 10, 2020<br/><h3>Summary</h3><p>Unpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix a remote code execution (RCE) vulnerability, known as CVE-2019-11510, can become compromised in an attack. <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-11510">[1]</a></p>

<p>Although Pulse Secure <a href="https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/">[2]</a> disclosed the vulnerability and provided software patches for the various affected products in April 2019, the Cybersecurity and Infrastructure Security Agency (CISA) continues to observe wide exploitation of CVE-2019-11510. <a href="https://www.kb.cert.org/vuls/id/927237/ ">[3]</a> <a href="https://www.us-cert.gov/ncas/current-activity/2019/07/26/vulnerabilities-multiple-vpn-applications ">[4]</a> <a href="https://www.us-cert.gov/ncas/current-activity/2019/10/16/multiple-vulnerabilities-pulse-secure-vpn">[5]</a></p>

<p>CISA expects to see continued attacks exploiting unpatched Pulse Secure VPN environments and strongly urges users and administrators to upgrade to the corresponding fixes. <a href="https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/">[6]</a></p>

<h2>Timelines of Specific Events</h2>

<ul>
<li>April 24, 2019 – Pulse Secure releases initial advisory and software updates addressing multiple vulnerabilities.</li>
<li>May 28, 2019 – Large commercial vendors get reports of vulnerable VPN through HackerOne.</li>
<li>July 31, 2019 – Full RCE use of exploit demonstrated using the admin session hash to get complete shell.</li>
<li>August 8, 2019 – Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors (Pulse Secure) with detailed attack on active VPN exploitation.</li>
<li>August 24, 2019 – Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of an upgrade.</li>
<li>October 7, 2019 – The National Security Agency (NSA) produces a Cybersecurity Advisory on Pulse Secure and other VPN products being targeted actively by advanced persistent threat actors.</li>
<li>October 16, 2019 – The CERT Coordination Center (CERT/CC) releases Vulnerability Note VU#927237: Pulse Secure VPN contains multiple vulnerabilities.</li>
<li>January 2020 – Media reports cybercriminals now targeting unpatched Pulse Secure VPN servers to install REvil (Sodinokibi) ransomware. &nbsp;&nbsp;</li>
</ul>
<h3>Technical Details</h3><h2>Impact</h2>

<p>A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.</p>

<p>Affected versions:</p>

<ul>
<li>Pulse Connect Secure 9.0R1 - 9.0R3.3</li>
<li>Pulse Connect Secure 8.3R1 - 8.3R7</li>
<li>Pulse Connect Secure 8.2R1 - 8.2R12</li>
<li>Pulse Connect Secure 8.1R1 - 8.1R15</li>
<li>Pulse Policy Secure 9.0R1 - 9.0R3.1</li>
<li>Pulse Policy Secure 5.4R1 - 5.4R7</li>
<li>Pulse Policy Secure 5.3R1 - 5.3R12</li>
<li>Pulse Policy Secure 5.2R1 - 5.2R12</li>
<li>Pulse Policy Secure 5.1R1 - 5.1R15</li>
</ul>
<h3>Mitigations</h3><p>This vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates.</p>

<p>CISA strongly urges users and administrators to upgrade to the corresponding fixes. <a href="https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/">[7]</a></p>
                    <h3>References</h3>
        <ul>             <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-11510">[1] NIST NVD CVE-2019-11510 </a></li>             <li><a href="https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/">[2] Pulse Secure Advisory SA44101</a></li>             <li><a href="https://www.kb.cert.org/vuls/id/927237/">[3] CERT/CC Vulnerability Note VU#927237</a></li>             <li><a href="https://www.us-cert.gov/ncas/current-activity/2019/07/26/vulnerabilities-multiple-vpn-applications">[4] CISA Current Activity Vulnerabilities in Multiple VPN Applications </a></li>             <li><a href="https://www.us-cert.gov/ncas/current-activity/2019/10/16/multiple-vulnerabilities-pulse-secure-vpn">[5] CISA Current Activity Multiple Vulnerabilities in Pulse Secure VPN</a></li>             <li><a href="https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/">[6] Pulse Secure Advisory SA44101</a></li>             <li><a href="https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/">[7] Pulse Secure Advisory SA44101</a></li>         </ul>            <h3>Revisions</h3>
<ul>             <li>January 10, 2020: Initial Version</li> </ul>
<hr />
            <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://www.us-cert.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p>


</div>
Source: AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability
Let's not argue. Let's network!
Print
Go Up Pages1
User actions