CISA Warns Patched Pulse Secure VPNs Could Still Expose Passwords

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued an alert on a vulnerability in Pulse Secure virtual private network (VPN) products -- yet again.

The issue concerns a file-reading vulnerability (CVE-2019-11510) in Pulse Secure VPNs that can expose passwords. The vulnerability was originally disclosed in a January CISA alert. Pulse Secure issued patches for the vulnerability in April, but CISA's new alert now warns that compromised organizations that failed to change their credentials after applying those Pulse Secure patches are still subject to password-stealing attacks.

The attacks get carried out by requesting files from a VPN server. They can expose Active Directory credentials in plain text form.

"Open-source reporting indicates that cyber threat actors can exploit CVE-2019-11510 to retrieve encrypted passwords," CISA's alert indicated, although its researchers have "not observed this behavior" as yet.

CISA's proof-of-concept test was conducted using "a domain controller (DC) running Windows Server 2016, an attacker machine, and a Pulse Secure VPN appliance version 9.0R3 (build 64003)," the alert indicated.

There have been active attacks. CISA has observed attackers using this vulnerability to drop Trojans, exfiltrate data and execute ransomware, according to the alert.

CISA described some steps to take using Pulse Secure logs to detect if CVE-2019-11510 exploits have been attempted. It offered this final advice for Pulse Secure VPN users:

CISA strongly urges organizations that have not yet done so to upgrade their Pulse Secure VPN to the corresponding patches for CVE-2019-11510. If -- after applying the detection measures in this alert -- organizations detect evidence of CVE-2019-11510 exploitation, CISA recommends changing passwords for all Active Directory accounts, including administrators and services accounts.

If there's been malicious activity, as indicated by the logs, CISA also suggests that organizations "should consider reimaging the workstation or server and redeploying back into the environment."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • The Case for In-Application Backups

    Application-integrated backup tools should never replace conventional backups, but they have their place.

  • Microsoft Uniting OneDrive and SharePoint Admin Portals Next Month

    Microsoft is converging its OneDrive and SharePoint Admin Center management portals, with a consolidated portal expected to arrive for Microsoft 365 subscribers "through February."

  • Phishing Tops Concerns in Microsoft Study of Remote Work

    Potential phishing attacks were a top concern of most IT security professionals when organizations switched to remote-work conditions early last year.

  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

comments powered by Disqus