Alert - Active exploitation of VPN vulnerabilities

Number: AL19-016 UPDATE 1
Date: 17 September 2019

UPDATE 1

The purpose of this update is to provide further information, including an ‘Indication of a Compromise’ section under each VPN product as well as a ‘Suggested Action’ section with more general methods of mitigating a possible compromise.

AUDIENCE

This Alert is intended for IT professionals and managers of notified organizations. Recipients of this information may redistribute it within their respective organizations.

PURPOSE

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

OVERVIEW

The Cyber Centre has become aware of widespread exploitation attempts being made against Virtual Private Networks (VPNs). A recent Black Hat 2019 presentation on VPN vulnerabilities has triggered heightened interest in exploiting vulnerabilities present in multiple VPN products, including Fortinet Fortigate, Palo Alto GlobalProtect, and Pulse Secure. In some cases, proof of concept code and exploitation tools have been published on the Internet. Due to the fact that VPN devices are typically Internet-facing, it is of the utmost importance that they be kept up to date with the latest patches.

ASSESSMENT

Fortinet Fortigate VPN
Several vulnerabilities in the Fortinet Fortigate SSL VPN were discovered by the Black Hat presenters, including a previously undisclosed “back door” in the VPN. These vulnerabilities could allow remote actors to view sensitive information including plaintext usernames and passwords, change user passwords, and execute arbitrary code on the VPN server, among other things. Details of the most critical vulnerabilities are as follows:

  • CVE-2018-13382: A backdoor could allow an unauthenticated user to change SSL VPN user passwords. A software tool which is allegedly able to exploit this vulnerability has been released publicly.
  • CVE-2018-13379: A path traversal vulnerability could allow a remote, unauthenticated actor to view sensitive information, including plaintext usernames and passwords.
  • CVE-2018-13380: A cross-site scripting vulnerability.
  • CVE-2018-13383: A remote code execution vulnerability that could allow an authenticated user to execute code on the VPN server.

These vulnerabilities affect various versions of the underlying Fortinet FortiOS software. Patches have been released for all known affected versions. See each respective CVE article in the references section for details.

Should administrators not be able to apply the security patches or upgrade their VPNs immediately, Fortinet advises administrators to disable the SSL VPN as an immediate mitigation step. This can be done by disabling any firewall policies tied to SSL VPN, and then disabling the SSL VPN itself using the following commands:

For FortiOS 5.2 and above branches:

align="LEFT" dir="LTR"config vpn ssl settings
unset source-interface
end

For FortiOS 5.0 and below branches:

align="LEFT" dir="LTR"config vpn ssl settings
set sslvpn-enable disable
end

Indication of a Compromise:

  • Checks device logs for HTTP GET requests to /remote/fgt_lang with the lang parameter set. A request of this nature could be attempting to exploit CVE-2018-13379. For example, an HTTP request which attempts to read a file called ‘sslvpn_websessions’, which can contain plaintext usernames and passwords, would appear as an HTTP request to the path /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession.
  • Check device logs for HTTP POST requests to /remote/logincheck with a ‘magic’ parameter set. A request of this nature is attempting to exploit CVE-2018-13382.

Palo Alto GlobalProtect VPN
A vulnerability in the Palo Alto GlobalProtect VPN allows a remote, unauthenticated actor to execute arbitrary code on the VPN server (CVE-2019-1579). Proof of concept code has been publicly released and this vulnerability is being actively exploited, as observed by third-party researchers. This vulnerability affects various versions of the underlying Palo Alto PAN-OS software. Patches have been released for all known affected versions.

Indication of a Compromise:

  • Check device logs for HTTP POST requests to /sslmgr with the ‘scep-profile-name' parameter set.

Pulse Connect Secure and Pulse Policy Secure VPN
Multiple vulnerabilities in the Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS) products have been discovered, including an arbitrary file read vulnerability (CVE-2019-11510), which could allow a remote, unauthenticated actor to view cached plaintext user passwords and other sensitive information.

These vulnerabilities affect multiple versions of the PCS and PPS products. Patches have been released for all known affected versions

Indication of a Compromise:

  • Check device logs for HTTP GET requests containing /dana/html5acc/guacamole/, which is indicative of attempts to exploit CVE-2019-11510. For example, a request attempting to download the /etc/passwd file would appear as an HTTP request to the path /dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/. It should be noted that logging for this vector of compromise may not be enabled by default. In order to enable it, an administrator must go to System -Log/Monitoring -User Access -Settings and check [x] Unauthenticated Requests.
  • The arbitrary file read vulnerability could allow for an actor to obtain a session ID for an active session and use it to connect to the VPN server, bypassing authentication in the process, including two-factor authentication, if enabled. Example log lines are provided below and could be indicative of multiple active users on a single session.
  • 2019-08-14 09:35:32 – PulseSecure – [1.2.3.4] DOMAIN\username – Remote address for user DOMAIN\username changed from 1.2.3.4 to 5.6.7.8.
  • 2019-08-14 09:38:56 – PulseSecure – [1.2.3.4] DOMAIN\username – Remote address for user DOMAIN\username changed from 5.6.7.8 to .

Please note that it is possible for the IP address to legitimately change for a single client. However, frequent occurrences of an IP address changing within a single session should be treated with suspicion and scrutiny. In addition, connections from suspicious IP addresses or different user sessions coming from the same IP address should be treated as suspect.

If there is evidence of a compromise, administrators should, in addition to patching, reset all credentials for both local accounts on the VPN server as well as accounts which have access to the VPN service.

SUGGESTED ACTION

In addition to the VPN-specific indicators in the Assessment section to be aware of, below are more general steps administrators should take toward hardening their VPN services, regardless of make:

  • Patch VPN servers as quickly as possible, and check for indication of a compromise using the information provided for each vulnerability.
  • Reset all user and administrator passwords after these vulnerabilities have been patched.
  • Employ multi-factor authentication for users connecting to VPN services.

REFERENCES

Black Hat 2019 “Infiltrating Corporate Intranet Like NSA” presentation:https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
Fortinet security advisories:https://fortiguard.com/psirt/FG-IR-18-384 (CVE-2018-13379),https://fortiguard.com/psirt/FG-IR-18-383 (CVE-2018-13380),https://fortiguard.com/psirt/FG-IR-18-389(CVE-2018-13382),https://fortiguard.com/psirt/FG-IR-18-388(CVE-2018-13383)
Palo Alto security advisory:https://securityadvisories.paloaltonetworks.com/Home/Detail/158
Pulse Secure security advisory:https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
Volexity “Vulnerable Private Networks: Corporate VPNs Exploited in the Wild” blog post:https://www.volexity.com/blog/2019/09/11/vulnerable-private-networks-corporate-vpns-exploited-in-the-wild/

NOTE TO READERS

The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.

Report a problem on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: