Vendors Issued Security Updates to Fix Severe Flaws Several Months Ago
Hackers in recent days have been hunting for SSL VPNs manufactured by both Fortinet and Pulse Secure that have yet to be updated to fix serious security flaws, security experts warn.
There’s been a surge in scanning attempts by attackers to locate and automatically hack these devices, exploiting known flaws that allow them to steal passwords and other sensitive data. With stolen passwords in hand, attackers can potentially gain full, remote access to organizations’ networks.
The attacks come despite both vendors having released patches several months ago – Pulse Secure in April, Fortinet in May – via firmware updates that included security fixes. Both vendors warned that all customers should install the updates as quickly as possible, given the severity of the flaws. Many organizations, however, apparently have yet to install the updated software, and thus remain at elevated risk from escalating exploit attempts.
Internet scans count at least 480,000 Fortinet Fortigate SSL VPN endpoints connected to the internet, although it’s unclear how many remain unpatched. But experts say that of about 42,000 Pulse Secure SSL VPN endpoints seen online, more than 14,000 of them – a majority of which are located in the United States – remain unpatched.
In recent days, reports of attacks against vulnerable Pulse Secure and Fortinet SSL VPNs have been escalating.
On Thursday, Troy Mursch of Chicago-based threat intelligence firm Bad Packets warned that his firm’s honeypots had detected opportunistic, large-scale mass scanning activity by hackers looking for Pulse Secure VPN SSL servers vulnerable to CVE-2019-11510. “This arbitrary file reading vulnerability allows sensitive information disclosure enabling unauthenticated attackers to access private keys and user passwords,” he said. “Further exploitation using the leaked credentials can lead to remote command injection (CVE-2019-11539) and allow attackers to gain access inside the private VPN network.”