At a recent Black Hat conference in Las Vegas, was presented Infiltrating Corporate Intranet Like NSA: Pre-auth RCE on Leading SSL VPNs report, addressing many vulnerabilities in corporate VPN products, including Fortigate and Pulse Secure.Although the report features many different solutions, two of them are already under attack by cybercriminals – these are Pulse Secure VPN and FortiGate VPN from Fortinet.
Apparently, the attackers rely on the report of the Devcore company, where two speakers who presented reports at the conference work.
“According to our survey on Fortune 500, the Top-3 SSL VPN vendors dominate about 75% market share. The diversity of SSL VPN is narrow. Therefore, once we find a critical vulnerability on the leading SSL VPN, the impact is huge”, — report Devcore specialists.
The fact is that in their report, researchers describe in details several vulnerabilities in the abovementioned products, and two of these problems were very useful for attackers: CVE-2019-11510 (Pulse Secure) and CVE-2018-13379 (FortiGate).
Both vulnerabilities are problems with reading files without authentication, so an attacker can get any files from the target system without the need for authentication. PoC exploits for both problems are freely available in the public domain, including on GitHub.
According to Bad Packets, attackers scan the network for vulnerable devices and use the mentioned bugs to cure files with system passwords from Pulse Secure VPN and session files from FortiGate. Having this data in their hands, attackers can either authenticate with devices or fake an active VPN session.
“There is no workaround for these vulnerabilities. Given the severity of this sensitive information disclosure vulnerability coupled with the risk of unauthorized access to private networks – there is little time to update before threat actors engage in further malicious activity”, — report Bad Packets specialists.
At the same time, Bad Packets experts warn that hundreds of thousands of FortiGate VPNs are available, although researchers do not have accurate statistics. Also on the network, you can find almost 42,000 Pulse Secure VPN systems, of which almost 14,500 do not have patches. This should be considered as corrections were released several months ago: for Pulse Secure in April of this year, and for FortinetGate in May.
Worse, experts explain that such expensive corporate products are commonly used on critical networks. For example, Pulse Secure VPN is used by US military, federal, state, and local governments; state universities and schools; hospitals and other health care providers; financial organizations.