BOOK AN APPOINTMENT WITH AN IT SPECIALIST TODAY

10 Jan 2020

AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability

Original release date: January 10, 2020 | Last revised: April 15, 2020

Summary

Unpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix an arbitrary file reading vulnerability, known as CVE-2019-11510, can become compromised in an attack. [1]

Although Pulse Secure [2] disclosed the vulnerability and provided software patches for the various affected products in April 2019, the Cybersecurity and Infrastructure Security Agency (CISA) continues to observe wide exploitation of CVE-2019-11510. [3] [4] [5]

CISA expects to see continued attacks exploiting unpatched Pulse Secure VPN environments and strongly urges users and administrators to upgrade to the corresponding fixes. [6]

Timelines of Specific Events

  • April 24, 2019 – Pulse Secure releases initial advisory and software updates addressing multiple vulnerabilities.
  • May 28, 2019 – Large commercial vendors get reports of vulnerable VPN through HackerOne.
  • July 31, 2019 – Full use of exploit demonstrated using the admin session hash to get complete shell.
  • August 8, 2019 – Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors (Pulse Secure) with detailed attack on active VPN exploitation.
  • August 24, 2019 – Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of an upgrade.
  • October 7, 2019 – The National Security Agency (NSA) produces a Cybersecurity Advisory on Pulse Secure and other VPN products being targeted actively by advanced persistent threat actors.
  • October 16, 2019 – The CERT Coordination Center (CERT/CC) releases Vulnerability Note VU#927237: Pulse Secure VPN contains multiple vulnerabilities.
  • January 2020 – Media reports cybercriminals now targeting unpatched Pulse Secure VPN servers to install REvil (Sodinokibi) ransomware.   

Technical Details

Impact

A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.

Affected versions:

  • Pulse Connect Secure 9.0R1 – 9.0R3.3
  • Pulse Connect Secure 8.3R1 – 8.3R7
  • Pulse Connect Secure 8.2R1 – 8.2R12
  • Pulse Connect Secure 8.1R1 – 8.1R15
  • Pulse Policy Secure 9.0R1 – 9.0R3.1
  • Pulse Policy Secure 5.4R1 – 5.4R7
  • Pulse Policy Secure 5.3R1 – 5.3R12
  • Pulse Policy Secure 5.2R1 – 5.2R12
  • Pulse Policy Secure 5.1R1 – 5.1R15

Mitigations

This vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates.

CISA strongly urges users and administrators to upgrade to the corresponding fixes. [7]

References

Revisions

  • January 10, 2020: Initial Version
  • April 15, 2020: Revised to correct type of vulnerability

This product is provided subject to this Notification and this Privacy & Use policy.

More Like This

MFA Bug Opens Door For Hackers To Attack Microsoft 365

New and heightened digital threats develop every day, and having standard security software may not be enough to protect your personal data and business from exploitation from malware attacks. Businesses across industries are vulnerable to new attacks, as many security software lags behind. Hackers find ways to work around the most common security platforms to …

MFA Bug Opens Door For Hackers To Attack Microsoft 365 Read More »

Read More

What Is The Dark Web?

What Is The Dark Web? Are your company’s data and network secure? Solidly secure? Or, are you worried you may have been hacked, putting sensitive data at risk? You may be wondering about the latter if you’re looking up information on the dark web and how it may impact your business. Because, indeed, if you …

What Is The Dark Web? Read More »

Read More

What Exactly Is NIST?

What Exactly Is NIST? No matter what industry you work in, chances are you’ve encountered the term NIST at one time or another. It’s most often used in relation to technology and, specifically, in relation to cybersecurity. Like many things related to these fields, NIST is both complicated and simple. It’s complicated because you have …

What Exactly Is NIST? Read More »

Read More

Remote Workers Are Here to Stay! Important Tips

Exactly a year ago today, no one would’ve thought that this many people would be working from home. Yet, here we are. The numbers are truly astounding. In June, the estimate was that 42% of the United States’ labor force had transitioned to full-time at-home work. For a while, most of us thought it would only …

Remote Workers Are Here to Stay! Important Tips Read More »

Read More

AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

Original release date: October 9, 2020 Summary This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques. Note: the analysis in this joint cybersecurity advisory is ongoing, and the information provided should not be considered comprehensive. The Cybersecurity …

AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations Read More »

Read More

AA20-280A: Emotet Malware

Original release date: October 6, 2020 Summary This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques. This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC). Emotet—a sophisticated …

AA20-280A: Emotet Malware Read More »

Read More