CVE-2019-11510 in Pulse Secure VPN products earned a maximum OVS score of 100 due to its severity and significant exploitation in the wild by threat actors. As part of our 12 Vulns of Christmas blog series, this section inspects the vulnerability and why organisations must patch it immediately.
CVE-2019-11510 is a vulnerability that affects VPN Pulse Secure’s Pulse Connect Secure (PCS), a VPN solution used by organisations worldwide. Pulse Secure originally disclosed the vulnerability on 22 March 2019, describing the vulnerability as an authentication bypass vulnerability that would allow attackers to perform remote arbitrary file access on affected PCS gateways. This can be achieved by sending a specially crafted Uniform Resource Identifier (URI) string, allowing threat actors to steal authenticated cookies from users connected to the VPN, allowing them to fake active VPN connections gain access to corporate networks and conduct further exploitation.
According to the security researchers who found the vulnerability, Pulse Secure’s SSL VPN was operating on more than 50,000 servers worldwide at the time of disclosure, and is used by government agencies, large corporations and MSPs. A Metasploit module for CVE-2019-11510 was published on 21 August 2019, followed by an NMap NSE Script on 27 August 2019 which would allow threat actors to check for vulnerable servers. The release of both of these modules then enabled threat actors to easily exploit the vulnerability, as previous exploits had a higher degree of complexity, which Metasploit and NMap eliminate.
There is a significant amount of evidence pointing towards extensive exploitation in the wild of this vulnerability, with nation-state actors and ransomware operators benefiting the most from vulnerabilities affecting corporate VPN solutions, as they enable rapid lateral movement between compromised networks and devices, which is ideal for intelligence collection and ransomware infections.
Early signs of exploitation by ransomware groups came in October 2019, with the release of advisories by the NSA and NCSC advising organisations that threat actors were observed using CVE-2019-11510 in the wild to target organisations in the US and UK. This was followed in January 2020 with reports that the Sodinokibi group had used the vulnerability to breach Travelex, leading to the encryption of their exposed files and systems and demands of a USD 3m ransom. Operators of another unidentified ransomware strain were found using the vulnerability in March 2020 to target UK fintech company Finastra, followed by US hospitals and government entities in April 2020 and UK electric company Elexon in May 2020. Ransomware operators dubbed Black Kingdom also used the vulnerability to target Polish organisations in June 2020, followed by the NetWalker ransomware strain adding the vulnerability to its capabilities in July 2020.
Due to the flourishing market of selling corporate access points to ransomware operators on dark web forums, cybercriminals have also profited from the vulnerability by selling cleartext credentials for over 900 compromised Pulse Secure VPN servers on one such forum.
There has also been ample evidence of nation-state threat actors exploiting the vulnerability for intelligence collection purposes. In February 2020, security researchers observed Iranian threat actors OilRig, Chafer and Shamoon exploiting the vulnerability to target a variety of sectors, including government entities, energy, aviation, security and telecommunications sectors. Iranian actors Pioneer Kitten was also observed selling access to compromised VPN networks on cybercriminal forums in September 2020, which it has allegedly obtained by exploiting the vulnerability. Russia’s infamous APT29 group was also seen exploiting CVE-2019-11510 to target organisations researching COVID-19 vaccines in July 2020. Indictments of seven Chinese nationals linked to APT41 in September 2020 also revealed that the nation-state group had used the vulnerability to conduct supply-chain attacks on various organisations.
Shodan indicates that there are still 462 public-facing servers that are still vulnerable to CVE-2019-11510, indicating that many organisations have yet to upgrade their Pulse Secure instances to patch the vulnerability. The United States remain the most affected country (79 vulnerable hosts), followed by Japan (65) and China (64).
Many organisations around the globe remain vulnerable to a vulnerability that has been demonstrably exploited by a variety of threat actors, including ransomware operators and nation-state groups. We highly recommend that organisations looking to mitigate risk around CVE-2019-11510 apply the following mitigation tactics: