Jump to content
OpenSecurity.global
  • Recently Browsing   0 members

    No registered users viewing this page.

Recommended Posts

Posted (edited)

Two researchers have a talk upcoming at DefCon about SSL VPN vulnerabilities, and they've started (although not in the talk) by detailing a unauthenticated remote code execution vulnerability in Palo-Alto GlobalProtect, their VPN system: http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html

The short version is:

- Bad vulnerability

- Actually exploitable

- Because it's on both your VPN and firewall box (Palo-Alto do both), the attacker owns your network via the internet

- They released a patch for the issue a year ago, but didn't issue a CVE or tell people about the issues for whatever reason - so you want to check if you actually run a vulnerable version still.

Vendor advisory here after I tweeted about it: https://securityadvisories.paloaltonetworks.com/Home/Detail/158

Edited by Kevin Beaumont
Added CVE number tag

Share this post


Link to post

For info - seen no scanning for this in the wild.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Members online now

    No members to show

  • Similar Content

    • By Kevin Beaumont
      CVE-2018-13379 is being exploited in the wild on Fortigate SSL VPN firewalls.  These exist as a perimeter security control, so it's a bad vulnerability.
      Using BinaryEdge.io I can see scanning activity from last night for first time for this vulnerability:

      The scanning traffic is taking place across the whole internet it appears, spray and pray style.
      The vulnerability is ridiculously easy to exploit, it's a 1996 style pre-auth ../ webserver exploit to read plain text administrator credentials:
      Timeline
      May 24th 2019 - Vendor posts advisory - https://fortiguard.com/psirt/FG-IR-18-384

      June 4th 2019 - Vendor updates advisory to correct impacted versions
      August 9th 2019 - Blog explaining the different vulnerabilities in FortiOS, including this one.
      August 14th 2019 - Exploit appears on GitHub and exploitation details posted in TLP Rainbow.
      August 17th 2019 - Another exploit, checks if vulnerable before exploit.
      August 21nd 2019 - Exploitation seen in wild.
    • By Tim Corless
      Came across this on my travels: https://portswigger.net/daily-swig/webmin-backdoor-blamed-on-software-supply-chain-breach
      Webmin software was backdoored for over a year. If you're using one of those vulnerable versions, update now! 
      According to shodan and some google dorks, there are quite a lot still vulnerable
       
    • By Kevin Beaumont
      CVE-2019-11510, impacting Pulse Secure SSL VPN, is being exploited in the wild. 
      I've seen it being exploited today, a few hours ago for first time, via BinaryEdge.

       
      Timeline
      24th April 2019 - Vendor advisory.
      14th August 2019 - TLP Rainbow post.
      20th August 2019 - exploit posted publicly.
      22nd August 2019 - exploitation in wild.
      Pulse Secure is one of the "Zero Trust" secure SSL VPN systems where you get pwned by 1996 ../../ exploits.

    • By Zoë Rose
      Hello OSINT fam 💜
      What’s the most valuable advice you’ve received regarding separation of investigations? 
      Mine was: 
      1. Create a new virtual machine for every investigation (also shared within IntelTechniques’ How To videos)
      2. Use VPNs
      3. Don’t overuse the same alias, and in some situations use new ones per engagement 
      Cheers 
    • By Kevin Beaumont
      A track of BlueKeep CVE-2019-0708 scanners and exploits.
      Scanners
      https://github.com/zerosum0x0/CVE-2019-0708 - first uploaded May 22nd 2019
      https://www.rapid7.com/db/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep - first uploaded May 25th 2019
      Remote code execution exploits
      Unreleased
      Technical writeups
      @0xeb_bp has released a technical writeup.  It doesn't contain code but it does make clear how to reach exploitation, at least on XP.
      0xeb_bp_BlueKeep_Technical_Analysis.pdf
       
×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy