Request a Demo

How to Remediate the New Critical RCE Vulnerabilities In Enterprise VPNs

The US Cybersecurity and Infrastructure Security Agency (CISA) had alerted organizations to patch their Pulse Secure VPN servers as a defense against ongoing attacks trying to exploit a known remote code execution (RCE) vulnerability. 

This warning follows another alert issued by CISA in October 2019, and others coming from the National Security Agency (NSA), the Canadian Centre for Cyber Security, and UK's National Cyber Security Center (NCSC). 

Suggested Remediation Measures:

1. Pulse Connect Secure
  • CVE-2019-11510 - pre-auth arbitrary file reading: An unauthenticated remote attacker can craft and send a Uniform Resource Identifier (URI) to read files. This vulnerability affects Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 

 

POC:

CVE-2019-11510 

Exploit Database 

Pulse Connect Secure 

CVE-2019-11510 

GitHub: CVE-2019-11510-poc 

Pulse Connect Secure 

 

  • CVE-2019-11539 - post-auth command injection: The admin web interface allows an authenticated attacker to inject and execute commands. This vulnerability affects Pulse Secure PCS version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1.
How to Remediate:

If you are using Pulse Secure products for VPN, patch immediately with the linked solution to mitigate these 2 vulnerabilities (and 8 more).

2. Fortinet FortiOS
  • CVE-2018-13379 - pre-auth arbitrary file reading: A path traversal vulnerability under SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests. This vulnerability affects Fortinet FortiOS 6.0.0 to 6.0.4 and 5.6.3 to 5.6.7. 

POC:

CVE-2018-13379 

GitHub: CVE-2018-13379 

FortiGate SSL VPN 

CVE-2018-13379 

Exploit Database 

FortiGate SSL VPN 

  • CVE-2018-13382 - this vulnerability allows an unauthenticated attacker to change the password of an SSL VPN web portal user via specially crafted HTTP requests. This vulnerability affects Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8, and 5.4.1 to 5.4.10.
  • CVE-2018-13383 - post-auth heap overflow: This allows an attacker to gain a shell running on the router. A heap buffer overflow in the SSL VPN web portal can terminate SSL VPN web service for logged-in users due to a failure to properly handle Javascript href data when proxying web pages. Affects all Fortinet FortiOS versions below 6.0.5. 

POC:

CVE-2018-13379, CVE-2018-13383 

Blog from Meh Chang and Orange Tsai 

FortiGate SSL VPN 

 

How to Remediate:

To mitigate the risk, apply the patches from the Fortinet advisory to your Fortiner products.

Fortinet Advisory 

Affected Versions 

Patch Date 

CVE-2018-13379 (FG-IR-18-384) 

FortiOS 6.0.0 - 6.0.4 FortiOS 5.6.3 - 5.6.7 

5/24/19 

CVE-2018-13380 (FG-IR-18-383) 

FortiOS 6.0.0 - 6.0.4 FortiOS 5.6.0 - 5.6.7 FortiOS <= 5.4 

5/24/19 

 

CVE-2018-13381 (FG-IR-18-387) 

FortiOS 6.0.0 - 6.0.4 FortiOS 5.6.0 - 5.6.7 FortiOS <= 5.4 

5/24/19 

 

CVE-2018-13382 (FG-IR-18-389) 

FortiOS 6.0.0 - 6.0.4* FortiOS 5.6.0 - 5.6.8* FortiOS 5.4.1 - 5.4.10* 

5/24/19 

 

CVE-2018-13383 (FG-IR-18-388) 

FortiOS 6.0.0 - 6.0.4 FortiOS <= 5.6.10 

4/2/19 

* Vulnerable only when SSL VPN service is enabled. 

3. Palo Alto GlobalProtect Portal
  • CVE-2019-1579 - RCE might allow an unauthenticated remote attacker to execute arbitrary code. This vulnerability affects PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier with GlobalProtect Portal or GlobalProtect Gateway Interface enabled. 

POC: https://github.com/securifera/CVE-2019-1579/blob/master/CVE-2019-1579_8.0.7_mips.py 

How to Remediate: 

Upgrade the product to non-vulnerable versions “Affected version Fixed version PAN-OS 7.1.18 and earlier PAN-OS 7.1.19 and later PAN-OS 8.0.11 and earlier PAN-OS 8.0.12 and later PAN-OS 8.1.2 and earlier PAN-OS 8.1.3 and later. This vulnerability does not impact PAN-OS 9.0. 

Vendor advisory: https://securityadvisories.paloaltonetworks.com/Home/Detail/158 

Mitigating Risk From Enterprise VPN 

In order to mitigate risk from enterprise VPN, the following best-practices should be followed:

  • Review the VPN log files for evidence of compromised accounts in active use. 
  • Look for connections in odd times and other unusual events that may require further investigation. 
  • Ensure that you can patch and maintain the remote access. 
  • Add multi-factor authentication (MFA) when using VPN. 
  • Review the end-user license agreements and examine the reviews before purchasing a VPN solution. Ask around to trusted forums for advice and guidance on VPN solutions. 
  • Make sure you can update and service the application even on remote locations. 
  • Provide guidance and education to users on how to properly use VPN.

 

Don’t miss out on the latest

Get notified on Industry updates.
we promise not to spam

Related Posts

Popular Articles

03.3.2020 | vulnerabilities , Ghostcat

| Posted by Yonatan Amitay
The Apache Tomcat servers that have been released over the last thirteen years are vulnerable to a bug known as “Ghostcat” (CVE-2020-1938) that ...
Read more
  With nearly 15,000 new vulnerabilities discovered in 2017, and even more expected this year – the competition for ‘worst vulnerability’ is a tough ...
Read more

11.1.2018 | vulnerabilities

| Posted by Roy Horev
The best way to share information about the risks associated with vulnerabilities is via quantifying these risks – i.e. metrics. The question is, ...
Read more