exploit Pulse Secure SSL VPN vulnerability being exploited in wild

[Kevin Beaumont 92]

CVE-2019-11510, impacting Pulse Secure SSL VPN, is being exploited in the wild. 

I've seen it being exploited today, a few hours ago for first time, via BinaryEdge.

 

Timeline

24th April 2019 - Vendor advisory.

14th August 2019 - TLP Rainbow post.

20th August 2019 - exploit posted publicly.

22nd August 2019 - exploitation in wild.

Pulse Secure is one of the "Zero Trust" secure SSL VPN systems where you get pwned by 1996 ../../ exploits.

[Nicholas L 5]

This is probably getting to deep, but any indication of actual exploitation vs scanning?

[Kevin Beaumont 92]

It's a good question, you could argue it's 'just' scanning.  But a 'home' IP yada, if they're finding stuff I imagine they're changing the path.

[Kevin Beaumont 92]

2.137.127.2 is continuing to scan the internet for this.

Also on AbuseIPDB: https://www.abuseipdb.com/check/2.137.127.2

[Kevin Beaumont 92]

Pretty crazy discovery from XMPPwocky - this vulnerability is possible because the code has hardcoded logic to allow directory traversal etc if a certain path is sent - that path happens to allow exploitation.

 

 

[james mckinlay 103]

21 hours ago, Kevin Beaumont said:

 

 where you get pwned by 1996 ../../ exploits.

 

THIS ../../ IS  ../../ THE ../.../ BIT  ../../ THAT ../../ REALLY ../../ HACKS ../../ ME ../../ OFF %00

[Daniel Cuthbert 15]

Like i said, questionable as hell...

[Kevin Beaumont 92]

Bad Packets did a sweep, over 2500 endpoints across 72 countries are exposed to this & being exploited. The vulnerability is 4 months old, organisations really need to patch. 

https://badpackets.net/over-2500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/

 

Edited August 24 by Kevin Beaumont

[Kevin Beaumont 92]

The Bad Packets estimate has been revised up to 14,500 vulnerable endpoints for this issue. 

 

[Kevin Beaumont 92]

Scanning the wild for data.mdb, which include usernames and passwords in plain text.  On a live Pulse Secure SSL VPN firewall, from a prior unseen IP.

[Kevin Beaumont 92]

An anonymous researcher has pointed out you can remotely retrieve Active Directory usernames and passwords with this vulnerability - the passwords are encrypted, but always with the same passphrase ("NEOTERIS-FORM-CONFIRMATION").  So, essentially, not encrypted.

Other hardcoded encryption keys are PSECURE-ADMINPWD-KEY, JUNIPER-ADMINPWD-KEY and others.

[Kevin Beaumont 92]

Some logs you can retrieve with this remotely:

• https://host/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/logs/log.admin.vc0?/dana/html5acc/guacamole/
• https://host/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/logs/log.access.vc0?/dana/html5acc/guacamole/

As an attacker you can use these to figure out to some degree if the box has been tampered with already.

Note that to have a hope of figuring out exactly what attackers tampered with, you need to manually (it is disabled by default) enable "Unauthenticated Web Requests" logging under System -> Logs/Monitoring in the Pulse Secure admin centre.  As a result of this many orgs compromised before they installed the patch will not realise if attackers have created backdoors, and they may still be compromised.  I recommend turning on logging, and looking at the admin logs - it won't catch everything (because HTTP requests aren't logged) but you might find other signs of tampering.

Shoutout to Alyssa Herrera who continues to figure out this vulnerability.

[Kevin Beaumont 92]

For some reason the vendor is lying press about the scale of the issue, saying a majority of customers have patched. Interesting response plan. 

[Tiago Henriques 2]

We just finished our world scan on Pulse. Port 443 presents a total of 34267 valid responses on the file that has the version (no auth needed publicly exposed).

 

Top 10 versions:

Quantity | Version

 

[Kevin Beaumont 92]

There's some more background on how a group used this used to hack Twitter and claim bug bounty: https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html

[Tiago Henriques 2]

https://blog.binaryedge.io/2019/09/03/pulse-secure-vpn-endpoints/