Attackers are actively scanning for endpoints running versions of the popular Pulse Secure VPN software that are vulnerable to a critical remotely exploitable vulnerability that was disclosed recently.
There is a publicly available exploit for the bug, and researchers have seen large-scale scanning activity by attackers searching for vulnerable machines. Pulse Secure is an SSL VPN that is used in many enterprise environments and the details of the vulnerability have been public for several weeks now. The weakness allows a remote attacker to read an arbitrary file on a vulnerable system, potentially stealing passwords or other sensitive data. It affects several versions of the Pulse Connect Secure and Pulse Policy Secure software. Pulse Secure posted an initial advisory on the vulnerability in late April, but after researchers discussed the bug at Black Hat in early August, attackers took notice.
“This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform a remote arbitrary file access on the Pulse Connect Secure gateway. This advisory also includes a remote code execution vulnerability that can allow an authenticated administrator to perform remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways. Many of these vulnerabilities have a critical CVSS score and pose significant risk to your deployment,” the advisory says.
In the last few days, researchers began noticing widespread scans by systems looking for machines that are vulnerable to CVE-2019-11510, the arbitrary file read vulnerability. The attackers typically are trying to get to the file that contains users’ passwords for the VPN.
“On Thursday, August 22, 2019, our honeypots detected opportunistic mass scanning activity from a host in Spain targeting Pulse Secure “Pulse Connect Secure” VPN server endpoints vulnerable to CVE-2019-11510. This arbitrary file reading vulnerability allows sensitive information disclosure enabling unauthenticated attackers to access private keys and user passwords. Further exploitation using the leaked credentials can lead to remote command injection (CVE-2019-11539) and allow attackers to gain access inside the private VPN network,” Troy Mursch of threat intelligence firm Bad Packets said in a post on the scanning activity.
“On Friday, August 23, 2019, our honeypots detected additional mass scanning for CVE-2019-11510 from another host in Spain. In both cases, the exploit activity attempted to download the “etc/passwd” file which contains the usernames associated with the VPN server (not client accounts). A successful “HTTP 200/OK” response to this scan indicates the VPN endpoint is vulnerable to further attacks. Given the ongoing scanning activity, it’s likely the attackers have enumerated all publicly accessible hosts vulnerable to CVE-2019-11510.”
The vulnerability is obviously quite serious on its own, but late last week an exploit for it was published on GitHub, making the situation even more concerning. Pulse Secure has patches available for all of the vulnerable versions, and enterprises should prioritize that fix, given the current scanning and availability of the exploit.
Mursch said Bad Packets did a scan of its own to enumerate vulnerable endpoints and found more than 14,000 systems that were still vulnerable to CVE-2019-11510, more than a third of which are in the United States.