Pulse Secure VPN Vulnerability Remains Open to Exploitation
Unpatched Pulse Secure VPN servers are a critical target for exploitation and remote code execution, according to the CISA.
CISA Warns of Pulse Secure VPN Vulnerability
An alert from the United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) states that unpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors.
While Pulse Secure disclosed the vulnerability and provided the appropriate software patches back in April 2019, CISA says it continues to observe wide exploitation of a remote code execution (RCE) vulnerability known as CVE-2019-11510, which can become compromised in an attack.
According to a recent article in Forbes, what prompted this level of CISA interest is the ongoing Travelex foreign currency exchange cyber-attack, thought to have been facilitated by no less than seven VPN servers that were late in being patched against this critical vulnerability.
CISA expects to see “continued attacks exploiting unpatched Pulse Secure VPN environments and strongly urges users and administrators to upgrade to the corresponding fixes.”
How Pulse Secure VPN is Being Attacked
A report on Health IT Security explains that stolen credentials could be leveraged to connect to the VPN, “giving a hacker the ability to change configuration settings or connect to other devices on the network. In a worst-case scenario, an attacker with an authorized connection could obtain necessary privileges to run secondary exploits designed to access the root shell.”
Health IT Security reported that a spokesperson for Pulse Secure warned that threat actors will continue to take advantage of the vulnerability, which is also found on Palo Alto and Fortinet VPN products.
Their goal, said the report, is to propagate, distribute, and activate the malware variant known as REvil (Sodinokibi) through “interactive prompts of the VPN interface to the users attempting to access resources through unpatched, vulnerable Pulse VPN servers.”
Sodinokibi typically targets IT managed service providers and their clients. Its hackers, noted the Health IT Security report, were behind the massive ransomware attack on CTS, an IT vendor for hundreds of dental providers.
The DHS CISA agrees that researchers expect to see continued exploits of the vulnerability, which is why organizations are being urged to upgrade their VPN servers with the corresponding fixes, noting that there are “no viable workarounds except for applying the patches… and performing required system updates.”
How Syxsense Can Help
“If Pulse Secure were installed on a device that the Syxsense solution is managing,” explained Jon Cassell, Senior Solutions Architect, “it could easily be updated by leveraging software inventory, software distribution to push executables or scripts, remote control, and even custom patches.”
However, from what is known, the vulnerability must be resolved server-side. Fortunately, no client updating needs to take place, which keeps the process simple.
“The main concern,” said Cassell, “is that the industry isn’t aware of the vulnerability and administrators might be taking too long to address it. Leveraging an insecure VPN solution defeats the purpose, so it’s best for any Pulse Secure customers to stop what they’re doing and remediate the vulnerability as soon as possible.”
Experience the Power of Syxsense
Syxsense has created innovative and intuitive technology that sees and knows everything. Manage and secure your environment with a simple and powerful solution.