Applying a security update to a CVE released more than a year ago could have prevented a hacker from publishing plaintext usernames and passwords, as well as IP addresses, for more than 900 Pulse Secure VPN enterprise servers.
“The lesson here? Patch, patch, patch,” said Laurence Pitt, global security strategy director at Juniper Networks. “The fact that this vulnerability allowed for username/cleartext password combinations to be exposed is bad enough, but what makes it unacceptable is that this was reported in a CVE, released over a year ago and fixed in a later version of the product.”
Research companies, too, had long sounded warnings about the vulnerability, CVE 2019-11510, “releasing proof of concept data to show what could, and would, be exposed,” Pitt said.
“A CVE was discovered and announced in August 2019, and here we are almost 12 months later and still, 677 enterprise devices were still unpatched exposing VPN open ports and vulnerabilities and allowing access with only a user name and password,” said Jason Garbis, senior vice president, products at AppGate. “All bad. No one would ever think to design a new system with these three flaws today.”
CVE 2019-11510 was one of the vulnerabilities exploited recently by Russia’s Cozy Bear, APT29, in an attempt to steal Covid-19 vaccine research by hacking vaccine trials and dropping WellMess and WellMail malware. It was also used as an entry point by REvil/Sodinokibi ransomware hackers that struck celebrity law firm Grubman, Shire, Meiselas and Sacks and threatened to release information on clients like Lady Gaga and Madonna as well as President Trump.
In addition to usernames, passwords and IP addresses, the hacker published SSH keys for servers, password hashes for local users, cookies for VPN sessions as well as last logins and information of admin accounts, according to a report from ZDNet. “These enterprises are at immediate risk, since their private networks are now effectively exposed to attackers. Add to that, chances are these users have re-used passwords for other accounts, which are now also at risk,” said Garbis. “It’s frankly unconscionable that organizations continue to expose the networks’ ‘front door’ to every adversary on the planet. There are better and more secure ways to provide users with remote access, without putting your entire organization at risk.”
The exploit and resultant leak might be even larger than currently known. “The data published lists only 900 servers. What we do not know is how many more have not been released – or, which of these could be sensitive servers that are now being poked and prodded in planning for a bigger attack,” said Pitt.
The report cited security researcher Bank Security as saying all the servers listed were running firmware vulnerable to the flaw.
Pulse Secure, too, continues to urge its customers to "deploy the security patch fix, available since April 2019, to protect themselves from threat actors and potential attacks," Scott Gordon, chief marketing officer at Pulse Secure said in a statement sent to SC Media, pointing organizations to visit SA44101. "We have already contacted customers that have yet to apply the patch fix multiple times using contact information available to us, and we will continue to do so until the deploy the patch to all their systems."
Garbis said while “no enterprise can patch all vulnerabilities, it’s a near impossibility,” many of them should “try to patch all CVSS 8-10 at a minimum,” noting that even that tactic “is difficult and not always foolproof as it is very difficult to patch production network access systems like firewalls and VPNs as any outage or maintenance windows can cost the business hundreds of thousands of dollars. This is why VPNs are constantly a massive target for APT groups.
In addition to patching servers, using a one-time password (OTP) “will solve the problem” and urged organizations to “protect the remote endpoints from future attacks as well,” said Eddy Bobritsky, CEO at Minerva Labs.