TLP: WHITE

Date:  August 21, 2019

The Health Sector Cybersecurity Coordination Center (HC3) has released a White Paper on a recent critical VPN vulnerability.  A summary of the paper along with specific impacted products and detailed recommendations, are provided below.

Summary

At the recent BlackHat and DEFCON conference, a team of researchers disclosed critical vulnerabilities in three widely used enterprise VPN services.  Exploiting these vulnerabilities could allow attackers to gain access to enterprise networks.

The vulnerable VPN services and versions are listed below:

  • Palo Alto Networks GlobalProtect (with GlobalProtect enabled)
    • PAN-OS 7.1.18 and earlier
    • PAN-OS 8.0.11-h1 and earlier
    • PAN-OS 8.1.2 and earlier
  • Pulse Secure’s Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS)
    • Pulse Connect and Pulse Policy Secure 9.0RX and earlier
  • Fortinet FortiGate (FortiOS)
    • The following versions are only vulnerable if the SSL VPN service is enabled.
    • FortiOS 5.6.3 to 5.6.7
    • FortiOS 6.0.0 to 6.0.4

HC3 reports that malicious actors are actively targeting these vulnerabilities and therefore it is critically important that members of the Health and Public Health (HPH) sector patch and secure their systems.  Patches to address these vulnerabilities are available from each of the VPN vendors.  Without patching, organizations who continue to use the vulnerable versions will remain vulnerable to PII exposure, financial fraud, or ransomware attacks.

Analysis

At the recent Blackhat and DEF CON 2019 conferences in Las Vegas, NV, (August 7,
and August 9, 2019), the DEVCORE cybersecurity research team demonstrated exposure to critical vulnerabilities in each of three popular enterprise VPN services, due to their common use of exposed SSL certificates and processes.

The vulnerable VPN services and versions are listed below:

  • Palo Alto Networks GlobalProtect (with GlobalProtect enabled)
    • PAN-OS 7.1.18 and earlier
    • PAN-OS 8.0.11-h1 and earlier
    • PAN-OS 8.1.2 and earlier
  • Pulse Secure’s Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS)
    • Pulse Connect and Pulse Policy Secure 9.0RX and earlier
  • Fortinet FortiGate (FortiOS)
    • The following versions are only vulnerable if the SSL VPN service is enabled.
    • FortiOS 5.6.3 to 5.6.7
    • FortiOS 6.0.0 to 6.0.4
    • ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.

The DEVCORE proof of concept exploit for Remote Code Execution led to full access to corporate networks belonging to Twitter and Uber, which were responsibly reported to each company.  It is likely that there are a significant number of HPH sector entities using the affected hardware appliances and software vulnerable to these exploits.

Recommended Actions
  • Update any relevant system within your infrastructure. Each manufacturer has released updated patches for their systems. These patches should be considered a high priority.
  • Update system configurations and disable unused components. As some of the exploits rely on default interfaces and configurations (such as web interfaces), HPH sector organizations are encouraged to disable any VPN services that are not operationally necessary.
  • Discourage usage of open and unsecure public WiFi.  Using open and openly shared pre-shared-key secured WiFi opens the door to a number of replay and man-in-the-middle attacks. Update cybersecurity policies and awareness training to discourage corporate usage of public WiFi in favor of encrypted WLAN or WiFi connections.
vulnerability
  1. Palo Alto Security Advisory: Palo Alto Networks, 24 July 2019, accessed 8 Aug 2019; https://securityadvisories.paloaltonetworks.com/(X(1)S(klphdezgerjfyhnvfqkwlgqu))/Home/Detail/158?Aspx
  2. PulseSecure Security Advisory: SA44101 – 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX, PulseSecure, 30 July 2019, accessed 8 Aug 2019; https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
  3. Fortinet PSIRT Advisory: FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests, 24 May 2019, accessed 8 Aug 2019; https://fortiguard.com/psirt/FG-IR-18-384
  4. “Virtual Private Network.” Wikipedia.org. 8 Aug 2019, accessed 8 Aug 2019; https://en.wikipedia.org/wiki/Virtual_private_network
  5. Orange Tsai & Meh Chang, “Infiltrating Corporate Intranet Like NSA_Pre-auth RCE on Leading SSL VPNs,” 2019 accessed 8 Aug 2019; https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Tsai
  6. Zack Whittaker, “Flaws in widely used corporate VPNs put company secrets at risk.” Techcrunch.com, 23 July 2019, accessed 8 Aug 2019; https://techcrunch.com/2019/07/23/corporate-vpn-flaws-risk/
  7. Luke Bencie, “Why you really need to stop using public Wi-Fi.” 3 May 2017, accessed 8 Aug 2019; https://hbr.org/2017/05/why-you-really-need-to-stop-using-public-wi-fi
  8. Dave Piscitello, “What is a man in the middle attack?” Icann.org 2 Nov 2015, accessed 8 Aug 2019; https://www.icann.org/news/blog/what-is-a-man-in-the-middle-attack

— 

Please send any questions or comments to soc@h-isac.com.

H-ISAC Security Operations Center

Health-ISAC (Health Information Sharing and Analysis Center)

226 North Nova Rd, #391, Ormond Beach, FL 32174

www.h-isac.org