author photo
By Clare O’Gara
Mon | Apr 20, 2020 | 6:30 AM PDT

With the world retreating away from public spaces and into the digital sphere, the ability to work remotely is critical to keeping companies afloat.

And a VPN is critical to the security of this work.

Because if something is of value, you know a cybercriminal or nation-state hacker may try to attack it.

And this is why CISA has issued a critical alert for a particular VPN security vulnerability—one that has been around for months.

What is the Pulse Secure VPN vulnerability?

More than 80% of Fortune 500 companies and 23,000 enterprise customers, including 18 million endpoints, rely on Pulse Secure VPN to connect securely to corporate networks.

Now, this tool for remote work is being used as a point of attack, according to the Cybersecurity and Infrastructure Security Agency (CISA):

"Unpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix an arbitrary file reading vulnerability, known as CVE-2019-11510, can become compromised in an attack.

Although Pulse Secure disclosed the vulnerability and provided software patches for the various affected products in April 2019, the Cybersecurity and Infrastructure Security Agency (CISA) continues to observe wide exploitation of CVE-2019-11510."

CISA provided this timeline of events surrounding the Pulse Secure vulnerability:

  • April 24, 2019 – Pulse Secure releases initial advisory and software updates addressing multiple vulnerabilities.
  • May 28, 2019 – Large commercial vendors get reports of vulnerable VPN through HackerOne.
  • July 31, 2019 – Full use of exploit demonstrated using the admin session hash to get complete shell.
  • August 8, 2019 – Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors (Pulse Secure) with detailed attack on active VPN exploitation.
  • August 24, 2019 – Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of an upgrade.
  • October 7, 2019 – The National Security Agency (NSA) produces a Cybersecurity Advisory on Pulse Secure and other VPN products being targeted actively by advanced persistent threat actors.
  • October 16, 2019 – The CERT Coordination Center (CERT/CC) releases Vulnerability Note VU#927237: Pulse Secure VPN contains multiple vulnerabilities.
  • January 2020 – Media reports cybercriminals now targeting unpatched Pulse Secure VPN servers to install REvil (Sodinokibi) ransomware.   

This vulnerability has been an issue for almost a year, and it all comes down to a failure to patch.

Affected versions of the Pulse Secure VPN

According to CISA, these are the versions of Pulse Secure VPN impacted by this vulnerability. Are you running these?

•  Pulse Connect Secure 9.0R1 - 9.0R3.3
•  Pulse Connect Secure 8.3R1 - 8.3R7
•  Pulse Connect Secure 8.2R1 - 8.2R12
•  Pulse Connect Secure 8.1R1 - 8.1R15
•  Pulse Policy Secure 9.0R1 - 9.0R3.1
•  Pulse Policy Secure 5.4R1 - 5.4R7
•  Pulse Policy Secure 5.3R1 - 5.3R12
•  Pulse Policy Secure 5.2R1 - 5.2R12
•  Pulse Policy Secure 5.1R1 - 5.1R15

Equifax mega breach caused by unpatched vulnerability

If you're wondering about the risks associated with an unpatched VPN vulnerability, we can think of a major one.

An unpatched vulnerability—specifically in a version of Apache Struts—is the very thing that Chinese hackers used to pull off one of the largest breaches in history.

SecureWorld covered the Equifax breach extensively in previous reporting:

Using a security vulnerability that was known but remained unpatched at Equifax, hackers found a way in. According to the report, "The conspirators exploited the Apache Struts vulnerability to upload to an Equifax web server multiple unauthorized web shells and began reconnaissance on Equifax's online dispute portal." This included installing a "back door" to the system, so hackers could come and go as they pleased.

Podcast on the unpatched vulnerability at Equifax

SecureWorld interviewed Graeme Payne, the man fired from Equifax because his team failed to patch the known security vulnerability. Listen here or on your favorite podcast platform:

Hopefully, your organization has the process in place to successfully scan and mitigate the Pulse Secure VPN vulnerability that so many others have failed to patch.