Hackers are exploiting recently disclosed flaws in enterprise virtual private network (VPN) products from Fortinet and Pulse Secure.

The popular cybersecurity expert Kevin Beaumont has observed threat actors attempting to exploit the CVE-2018-13379 in the FortiOS SSL VPN web portal and CVE-2019-11510 flaw in Pulse Connect Secure.

Fortigate Fortinet SSL VPN is being exploited in the wild since last night at scale using 1996 style ../../ exploit – if you use this as a security boundary, you want to patch ASAP https://t.co/IaBSqZJ9iS — Kevin Beaumont (@GossiTheDog) August 22, 2019

The CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal that could be exploited by an unauthenticated attacker to download FortiOS system files.

“A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.” reads the security advisory.

The CVE-2019-11510 flaw in Pulse Connect Secure is a critical arbitrary file read vulnerability.

“Unauthenticated remote attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability.” reads the advisory.

The vulnerabilities were first reported in July by researchers Orange Tsai and Meh Chang from DEVCORE that found several flaws in Fortinet, Palo Alto Networks and Pulse Secure products. The issues could be exploited by threat actors to access corporate networks and steal sensitive documents.

The security duo shared the results of their analysis at the Black Hat and DEFCON hacking conferences and proof-of-concept (PoC) exploits were publicly disclosed after their talks.

Even if the impacted vendors have released security advisories for the vulnerabilities discovered by the experts, attackers are attempting to exploit them in attacks in the wild.

Fortigate are calling this issue in FortiOS a “vulnerability” but to be clear it’s actually a major backdoor.



The backdoor code is flat out there in the OS, it even needs a ‘secret’ code typed to trigger it.



How did a major firewall vendor (almost 500k IPs) end up backdoored? https://t.co/GzCNXqtxDj — Kevin Beaumont (@GossiTheDog) August 22, 2019

Beaumont pointed out that an attacker could exploit the CVE-2018-13379 flaw to obtain administrator credentials in plain text, using the binaryedge online scanner he also found nearly half a million IP addresses associated with Fortinet devices exposed online.

Beaumont detected scanning activity aimed at vulnerable Fortinet systems on August 21, while he spotted threat actors targeting Pulse Secure systems on August 22.

Clearly, it is important that admins will apply security patches released by vendors as soon as possible to mitigate possible attacks.

Pierluigi Paganini

(SecurityAffairs – Pulse Security Products, hacking)

Share this...

Linkedin Reddit Pinterest

Share On