Attacks on unpatched Pulse Secure and Fortinet SSL VPNs

[German]Hacker are scanning the web for and attacking unpatched Pulse Secure and Fortinet SSL VPNs for several days. Private keys and user passwords can be read out via vulnerabilities. The manufacturers released updates for the vulnerabilities months ago.

Simply general information for people who use VPN software from both companies. I came across this topic via the following tweet by security researcher Kevin Beaumont.

Here's a good summary of what is happening with two of the SSL VPN appliances this weekend.

Some of the largest companies, national infrastructure suppliers and government agencies in the world are still impacted. https://t.co/KNCWkn3amT

— Kevin Beaumont (@GossiTheDog) August 26, 2019

The attacks are taking place despite the fact that both VPN providers released security updates for their products a few months ago – Pulse Secure in April, Fortinet in May. Both vendors warned their users and recommended all customers to install the updates as quickly as possible given the severity of the bugs. However, many companies do not appear to have installed the updated software yet and are therefore still at increased risk from escalating exploitation attempts. Mass scans are now being detected.

This sensitive information disclosure vulnerability allows unauthenticated attackers to access private keys and user passwords.

Further exploitation using the leaked credentials can lead to remote command injection (CVE-2019-11539).

— Bad Packets Report (@bad_packets) August 22, 2019

Vulnerabilities can be used to capture private keys and passwords for online accounts. In addition, command injection or intrusion into networks may be possible, as this tweet suggests.

Internet scans provide at least 480,000 Fortinet Fortigate SSL VPN endpoints connected to the Internet. However, it is currently unclear how many are not patched. However, experts say that of the 42,000 or so Pulse Secure SSL VPN endpoints that can be reached online, more than 14,000 are unpatched. It appears that some of the world's largest corporations, national infrastructure providers and government agencies are still affected. So I think we will soon be able to report more hacks and leaks.