Hackers who exploited CVE-2019-11510 & stole a victim organisation’s credentials are still able to access that organisation’s network even after the organisation has patched this vulnerability! How to put this right?
VPN
VPN provider Pulse Secure does remains hackable even after installing the patch to CVE-2019-11510 an ‘arbitrary file reading vulnerability’ that affects Pulse Secure virtual private network (VPN) appliances – only if credentials have been previously stolen.
Patch
This warning was made last week by the US Cybersecurity & Infrastructure Security Agency (CISA) in their update to Alert AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability. It advises administrators that cyber-criminals who exploited CVE-2019-11510 & stole a victim organisation’s credentials will still be able to access & move laterally through that organisation’s network even after the organisation has patched this vulnerability, if the organisation did not change those stolen credentials.
There are new detection methods for this attack.
Tool
These include a CISA-developed tool that aids network administrators search for indicators of compromise (IOCs) that are associated with exploitation of CVE-2019-11510. This Alert also provides some mitigations for victim organisations in order to recover from attacks resulting from CVE-2019-11510. Network administrators are very strongly encouraged to be aware of all the consequences of exploitation of CVE-2019-11510 & to then apply these detection measures & mitigations in order to secure networks against these attacks.
STIX file
A downloadable copy of IOCs is now available at STIX file.
In tests of the CVE-2019-11510 exploit, CISA has confirmed that plaintext Active Directory credentials were leaked & that it was possible to leak the local admin password to the VPN appliance.
Pulse Secure
In a note, CISA also explains that “CVE-2019-11510 is a pre-authentication arbitrary file read vulnerability affecting Pulse Secure VPN appliances. A remote attacker can exploit this vulnerability to request arbitrary files from a VPN server. The vulnerability occurs because directory traversal is hard coded to be allowed if the path contains dana/html5/acc.[3],[4] For example, a malicious cyber-actor can obtain the contents of /etc/passwd [5] by requesting the following uniform resource identifier (URI):
https://vulnvpn.example[.]com/dana-na/../dana/html5/acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/
“Obtaining the contents of /etc/passwd gives the attacker access to basic information about local system accounts. This request was seen in the proof of concept (POC) code for this exploit on Github. An attacker can also leverage the vulnerability to access other files that are useful for remote exploitation. By requesting the data.mdb object, an attacker can leak plaintext credentials of enterprise users.[6],[7],[8]
Exploit
“Open-source reporting indicates that cyber threat actors can exploit CVE-2019-11510 to retrieve encrypted passwords;[9] however, CISA has not observed this behaviour. By reviewing victim VPN appliance logs, CISA has noted cyber threat actors crafting requests that request files that allow for Credential Dumping [T1003] plaintext passwords from the VPN appliance.”
Network administrator advice
To detect any past exploitation of CVE-2019-11510, CISA says network administrators must:
- Turn on unauthenticated log requests – (Note: there is a risk of overwriting logs with unauthenticated requests so, if enabling this feature, be sure to frequently back up logs; if possible, use a remote syslog server.)
- Check logs for exploit attempts. To detect lateral movement, system administrators should look in the logs for strings such as ../../../data
- Manually review logs for unauthorised sessions and exploit attempts, especially sessions originating from unexpected geo-locations.
4, Run CISA’s IOC detection tool. CISA has now developed a tool that lets administrators triage logs (if authenticated request logging is turned on) & automatically search for IOCs associated with exploitation of CVE-2019-11510. CISA encourages administrators to visit CISA’s GitHub page to download & run the tool. While not fully exhaustive, this tool may find evidence of attempted compromise.
Please apply if needed!