Vulnerabilities in Multiple VPN Applications – CERT

Vulnerabilities in Multiple VPN Applications – CERT

Some new vulnerabilities relating to VPN applications are being targeted by attackers to install the REvil (Sodinokibi) Ransomware.  I have had the unfortunate opportunity to witness firsthand how damaging Ransomware can be when it happened to a parent of one of my clients.  It is very debilitating and an important reason to increase specific security efforts in your network.   I am happy to take your call and discuss Network Security in your environment and what can be done to improve it.

Original release date: January 10, 2020

Summary

Unpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix a remote code execution (RCE) vulnerability, known as CVE-2019-11510, can become compromised in an attack. [1]

Although Pulse Secure [2] disclosed the vulnerability and provided software patches for the various affected products in April 2019, the Cybersecurity and Infrastructure Security Agency (CISA) continues to observe wide exploitation of CVE-2019-11510. [3] [4] [5]

CISA expects to see continued attacks exploiting unpatched Pulse Secure VPN environments and strongly urges users and administrators to upgrade to the corresponding fixes. [6]

Timelines of Specific Events

  • April 24, 2019 – Pulse Secure releases initial advisory and software updates addressing multiple vulnerabilities.
  • May 28, 2019 – Large commercial vendors get reports of vulnerable VPN through HackerOne.
  • July 31, 2019 – Full RCE use of exploit demonstrated using the admin session hash to get complete shell.
  • August 8, 2019 – Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors (Pulse Secure) with detailed attack on active VPN exploitation.
  • August 24, 2019 – Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of an upgrade.
  • October 7, 2019 – The National Security Agency (NSA) produces a Cybersecurity Advisory on Pulse Secure and other VPN products being targeted actively by advanced persistent threat actors.
  • October 16, 2019 – The CERT Coordination Center (CERT/CC) releases Vulnerability Note VU#927237: Pulse Secure VPN contains multiple vulnerabilities.
  • January 2020 – Media reports cybercriminals now targeting unpatched Pulse Secure VPN servers to install REvil (Sodinokibi) ransomware.

More information can be found here:   https://www.us-cert.gov/ncas/alerts/aa20-010a


Doug Renner

Principal Consultant

Doug Renner is a veteran of both business and the information technology industry. His most recent endeavor was founding Peak IP Solutions where he started the company in 2004 and led it for 14 years. Peak IP Solutions grew rapidly from inception to over $13MM in annual sales in just six years. They were recognized by CRN Magazine in the NextGen 250 category as a leader in the VAR/MSP space. Major partnerships with Cisco, VMware, Veeam, HP, InfoBlox and others helped drive the businesses growth in sales along with steady growth in their Security, Voice, and Network Managed Services solutions. In March of 2018, Telcion Communications Group acquired Peak IP Solutions. Doug has held many certifications over the years beginning with his Microsoft MCP on Windows NT 3.5. In 2000 Doug started working for Cisco where he earned several Routing, Design, Voice, Security and Data Center certifications. Currently Doug is working with Telcion to transition clients and business aspects. He continues to enjoy the technology and supports projects in the Bay Area geography. Doug enjoys time with his wife and two daughters, driving and camping in Volkswagen Vanagon Syncro campers, Snowboarding, Mountain Biking Investing, and walking Abbi, the family’s Australian Shepherd.