Jump to content
OpenSecurity.global
  • Recently Browsing   0 members

    No registered users viewing this page.

Kevin Beaumont

Pulse Secure SSL VPN vulnerability being exploited in wild

Recommended Posts

CVE-2019-11510, impacting Pulse Secure SSL VPN, is being exploited in the wild. 

I've seen it being exploited today, a few hours ago for first time, via BinaryEdge.

image.thumb.png.45bef58b709e78c7c5047f53fd5331a1.png

 

Timeline

24th April 2019 - Vendor advisory.

14th August 2019 - TLP Rainbow post.

20th August 2019 - exploit posted publicly.

22nd August 2019 - exploitation in wild.

Pulse Secure is one of the "Zero Trust" secure SSL VPN systems where you get pwned by 1996 ../../ exploits.

image.thumb.png.53b7b86abeb97f13b1d929f139b1f320.png

Share this post


Link to post

This is probably getting to deep, but any indication of actual exploitation vs scanning?

Share this post


Link to post

It's a good question, you could argue it's 'just' scanning.  But a 'home' IP yada, if they're finding stuff I imagine they're changing the path.

  • Thanks 1

Share this post


Link to post

Pretty crazy discovery from XMPPwocky - this vulnerability is possible because the code has hardcoded logic to allow directory traversal etc if a certain path is sent - that path happens to allow exploitation.

 

image.thumb.png.1ce4d56d96bb11e92f4d78047a60e43c.png

 

Share this post


Link to post
21 hours ago, Kevin Beaumont said:

 

 where you get pwned by 1996 ../../ exploits.

 

THIS ../../ IS  ../../ THE ../.../ BIT  ../../ THAT ../../ REALLY ../../ HACKS ../../ ME ../../ OFF %00

Share this post


Link to post

The Bad Packets estimate has been revised up to 14,500 vulnerable endpoints for this issue. 

 

40EF6167-EE37-46DC-B9BC-C3A980800669.png

Share this post


Link to post

Scanning the wild for data.mdb, which include usernames and passwords in plain text.  On a live Pulse Secure SSL VPN firewall, from a prior unseen IP.

Share this post


Link to post

An anonymous researcher has pointed out you can remotely retrieve Active Directory usernames and passwords with this vulnerability - the passwords are encrypted, but always with the same passphrase ("NEOTERIS-FORM-CONFIRMATION").  So, essentially, not encrypted.

Other hardcoded encryption keys are PSECURE-ADMINPWD-KEY, JUNIPER-ADMINPWD-KEY and others.

  • Like 1

Share this post


Link to post

Some logs you can retrieve with this remotely:

  • https://host/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/logs/log.admin.vc0?/dana/html5acc/guacamole/
  • https://host/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/logs/log.access.vc0?/dana/html5acc/guacamole/

As an attacker you can use these to figure out to some degree if the box has been tampered with already.

Note that to have a hope of figuring out exactly what attackers tampered with, you need to manually (it is disabled by default) enable "Unauthenticated Web Requests" logging under System -> Logs/Monitoring in the Pulse Secure admin centre.  As a result of this many orgs compromised before they installed the patch will not realise if attackers have created backdoors, and they may still be compromised.  I recommend turning on logging, and looking at the admin logs - it won't catch everything (because HTTP requests aren't logged) but you might find other signs of tampering.

Shoutout to Alyssa Herrera who continues to figure out this vulnerability.

Share this post


Link to post

For some reason the vendor is lying press about the scale of the issue, saying a majority of customers have patched. Interesting response plan. 

Share this post


Link to post

We just finished our world scan on Pulse. Port 443 presents a total of 34267 valid responses on the file that has the version (no auth needed publicly exposed).

 

Top 10 versions:

Quantity | Version

image.png.d67bd225ad6240e1ca4b44a29187cb59.png

 

  • Thanks 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Members online now

    No members to show

  • Similar Content

    • By Kevin Beaumont
      CVE-2018-13379 is being exploited in the wild on Fortigate SSL VPN firewalls.  These exist as a perimeter security control, so it's a bad vulnerability.
      Using BinaryEdge.io I can see scanning activity from last night for first time for this vulnerability:

      The scanning traffic is taking place across the whole internet it appears, spray and pray style.
      The vulnerability is ridiculously easy to exploit, it's a 1996 style pre-auth ../ webserver exploit to read plain text administrator credentials:
      Timeline
      May 24th 2019 - Vendor posts advisory - https://fortiguard.com/psirt/FG-IR-18-384

      June 4th 2019 - Vendor updates advisory to correct impacted versions
      August 9th 2019 - Blog explaining the different vulnerabilities in FortiOS, including this one.
      August 14th 2019 - Exploit appears on GitHub and exploitation details posted in TLP Rainbow.
      August 17th 2019 - Another exploit, checks if vulnerable before exploit.
      August 21nd 2019 - Exploitation seen in wild.
    • By Tim Corless
      Came across this on my travels: https://portswigger.net/daily-swig/webmin-backdoor-blamed-on-software-supply-chain-breach
      Webmin software was backdoored for over a year. If you're using one of those vulnerable versions, update now! 
      According to shodan and some google dorks, there are quite a lot still vulnerable
       
×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy