VPN provider Pulse Secure remains hackable even after installing the patch to CVE-2019-11510—an arbitrary file reading vulnerability affecting Pulse Secure virtual private network (VPN) appliances - if credentials were previously stolen prior to patching and not changed afterwards. Pulse Secure publicly provided a patch fix for CVE2019-1150 on April 24, 2019 that should have been immediately applied to the Pulse Connect Secure (VPN). It notes that this risk would apply to Pulse and other VPN systems such as Palo Alto Networks and Fortinet, that were prior reported with the same vulnerability.
The warning issued last week by the US Cybersecurity and Infrastructure Security Agency (CISA) is an update to its Alert AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability. It advises administrators that threat actors who successfully exploited CVE-2019-11510 and stole a victim organisation’s credentials will still be able to access—and move laterally through—that organisation’s network after the organisation has patched this vulnerability if the organisation did not change those stolen credentials.
New detection methods for this attack include a CISA-developed tool that helps network administrators search for indicators of compromise (IOCs) associated with exploitation of CVE-2019-11510. The Alert also provides mitigations for victim organisations to recover from attacks resulting from CVE-2019-11510. Network administrators are encouraged to remain aware of the ramifications of exploitation of CVE-2019-11510 and to apply the detection measures and mitigations to secure networks against these attacks.
A downloadable copy of IOCs is available at STIX file.
In tests of the CVE-2019-11510 exploit (which applied to Pulse Secure and the aforementioned other VPNs and was resolved by Pulse Secure with a patch in April 2019), CISA confirmed that plaintext Active Directory credentials were leaked and that it was possible to leak the local admin password to the VPN appliance.
In a briefing note CISA explains that “CVE-2019-11510 is a pre-authentication arbitrary file read vulnerability affecting Pulse Secure VPN appliances. A remote attacker can exploit this vulnerability to request arbitrary files from a VPN server. The vulnerability occurs because directory traversal is hard coded to be allowed if the path contains dana/html5/acc., For example, a malicious cyber-actor can obtain the contents of /etc/passwd  by requesting the following uniform resource identifier (URI):
“Obtaining the contents of /etc/passwd gives the attacker access to basic information about local system accounts. This request was seen in the proof of concept (POC) code for this exploit on Github. An attacker can also leverage the vulnerability to access other files that are useful for remote exploitation. By requesting the data.mdb object, an attacker can leak plaintext credentials of enterprise users.,,
“Open-source reporting indicates that cyber threat actors can exploit CVE-2019-11510 to retrieve encrypted passwords; however, CISA has not observed this behaviour. By reviewing victim VPN appliance logs, CISA has noted cyber threat actors crafting requests that request files that allow for Credential Dumping [T1003] plaintext passwords from the VPN appliance.”
To detect past exploitation of CVE-2019-11510, CISA says network administrators should:
Turn on unauthenticated log requests - see Fig 1 below. (Note: there is a risk of overwriting logs with unauthenticated requests so, if enabling this feature, be sure to frequently back up logs; if possible, use a remote syslog server.)
Figure 1: Checkbox that enables logging exploit attacks
Check logs for exploit attempts. To detect lateral movement, system administrators should look in the logs for strings such as ../../../data (see figure 2).
Figure 2: Strings for detection of lateral movement
Manually review logs for unauthorised sessions and exploit attempts, especially sessions originating from unexpected geo-locations.
4, Run CISA’s IOC detection tool. CISA developed a tool that enables administrators to triage logs (if authenticated request logging is turned on) and automatically search for IOCs associated with exploitation of CVE-2019-11510. CISA encourages administrators to visit CISA’s GitHub page to download and run the tool. While not exhaustive, this tool may find evidence of attempted compromise.
In an email to SC Media UK Scott Gordon, chief marketing officer at Pulse Secure, commented: “Protecting the Secure Access infrastructure of our customers is our utmost priority. We appreciate the US-CERT and media raising awareness of the vulnerability, prior resolved in April 2019 by Pulse Secure, and encouraging organisations to not only patch their VPN, but ensure that they change privileged user and service account passwords and assess activity logs in order to mitigate derived exploits. Our security advisory (SA44101) provides necessary guidance on the steps to perform after upgrading. We continue to offer expedited technical support for customers, even those outside of maintenance, to facilitate patching efforts.”
Pulse Secure notes that it has issued guidance within its original security advisory.