The Door is Wide Open: Unpatched Security Flaw Leads to Leak of Login Credentials for 900+ Enterprise VPNs
A popular brand of VPN software recently had usernames, passwords, and IP addresses published on a dark web hacker forum frequented by ransomware gangs.
I first wrote about this issue in July 2019. At the time, various VPN appliances from three well known and highly used vendors were vulnerable to a critical vulnerability which could allow a hacker to access a company’s network – and view everything on that company’s network – without requiring any credentials. From a data privacy and information security standpoint, this is probably one of the single greatest threats to any business today – hackers bypassing all security measures in place – i.e. usernames, passwords, and multifactor authentication – and accessing all of a company’s data.
Almost exactly one year later and I’m writing about this again. This post focuses on VPN appliances from one vendor specifically – Pulse Secure.
The Cybersecurity and Infrastructure Security Agency (CISA), which is essentially the federal government’s equivalent to an investment adviser’s Risk Committee, has issued multiple alerts regarding this vulnerability over the last 13 months. The initial CISA Alert in July 2019 advised of the existence of the vulnerabilities discussed in my previous post and encouraged systems administrators to review information released by the vendors regarding fixes, which included, among other things, installing the software patch and changing all account passwords immediately after installing the patch. Pulse Secure was singled out in the October 2019 CISA Alert; once again, systems administrators were encouraged to follow the vendor’s guidelines for securing their VPN appliances.
Subsequently, the CISA Alert published January 10, 2020, “strongly urge[d]” companies to install patches provided by the vendor and follow the vendor’s other recommendations to remedy the vulnerability, with the agency expecting attacks to continue exploiting the vulnerability. It was in this alert that CISA first mentioned that hackers could access all active users of a compromised VPN and read their credentials in plain-text, meaning they could see the network credentials of all users of that vulnerable VPN, which could be used later for nefarious purposes. According to this alert, as of August 24, 2019, the patch had not been installed on over 14,500 servers globally – leaving them still vulnerable.
The CISA Alert published April 16, 2020, indicates that in the three months since the previous Alert was issued, multiple US Government and private agencies had fallen victim to this vulnerability being exploited. The big problem here is that attackers were able to exfiltrate account credentials and use them months later. Even if organizations had patched the vulnerability, many of them had not followed the vendor’s recommendation to change all user credentials subsequent to patching – basically closing the screen door on your house but leaving the main door wide open to anyone on the outside.
It was recently discovered that the usernames and passwords – including accounts with elevated privileges for system administrators – of over 900 Pulse Secure enterprise VPNs had been compromised and posted to a hacker forum on the dark web frequented by ransomware gangs. It is evident that the dark web can be a treasure trove of access credentials, and dark web monitoring enables firms to proactively stay abreast of these compromises.
Pulse Secure released a patch for this vulnerability on April 24th, 2019, noting that the “vulnerability is critical and should be patched right away.” Pulse Secure also recommended that all accounts, including administrator accounts and service accounts, change their passwords following the patch install.
The guidance and recommendation for this post remains similar to that of last year: if your company uses VPN software to accomplish connections for remote working, which is increasingly likely now in the midst of a pandemic, ask your IT department or IT vendor whether Pulse Connect Secure and/or Pulse Policy Secure products are used, and if they are used confirm that the patch for CVE-2019-11510 has been applied, all account passwords have been changed, and any other recommendations provided by the vendor have been implemented. If your company uses one of these products and has not patched the vulnerability discussed here, stop what you are doing, contact your IT personnel and request that this be remedied immediately! The full list of Pulse Secure’s recommendations following the installation of the patch can be found in the “Post-Update Recommendations” section of the article linked in this paragraph.
CSS wants to keep your data safe. We’re offering a complimentary Dark Web Monitoring assessment. To get in touch with our cybersercurity experts, please email us at: firstname.lastname@example.org.