CISA Warns Patched Pulse Secure VPNs Could Still Expose Passwords
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued an alert on a vulnerability in Pulse Secure virtual private network (VPN) products -- yet again.
The issue concerns a file-reading vulnerability (CVE-2019-11510) in Pulse Secure VPNs that can expose passwords. The vulnerability was originally disclosed in a January CISA alert. Pulse Secure issued patches for the vulnerability in April, but CISA's new alert now warns that compromised organizations that failed to change their credentials after applying those Pulse Secure patches are still subject to password-stealing attacks.
The attacks get carried out by requesting files from a VPN server. They can expose Active Directory credentials in plain text form.
"Open-source reporting indicates that cyber threat actors can exploit CVE-2019-11510 to retrieve encrypted passwords," CISA's alert indicated, although its researchers have "not observed this behavior" as yet.
CISA's proof-of-concept test was conducted using "a domain controller (DC) running Windows Server 2016, an attacker machine, and a Pulse Secure VPN appliance version 9.0R3 (build 64003)," the alert indicated.
There have been active attacks. CISA has observed attackers using this vulnerability to drop Trojans, exfiltrate data and execute ransomware, according to the alert.
CISA described some steps to take using Pulse Secure logs to detect if CVE-2019-11510 exploits have been attempted. It offered this final advice for Pulse Secure VPN users:
CISA strongly urges organizations that have not yet done so to upgrade their Pulse Secure VPN to the corresponding patches for CVE-2019-11510. If -- after applying the detection measures in this alert -- organizations detect evidence of CVE-2019-11510 exploitation, CISA recommends changing passwords for all Active Directory accounts, including administrators and services accounts.
If there's been malicious activity, as indicated by the logs, CISA also suggests that organizations "should consider reimaging the workstation or server and redeploying back into the environment."
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.