Over 14,500 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510

On Thursday, August 22, 2019, our honeypots detected opportunistic mass scanning activity from a host in Spain targeting Pulse Secure “Pulse Connect Secure” VPN server endpoints vulnerable to CVE-2019-11510. This arbitrary file reading vulnerability allows sensitive information disclosure enabling unauthenticated attackers to access private keys and user passwords. Further exploitation using the leaked credentials can lead to remote command injection (CVE-2019-11539) and allow attackers to gain access inside private VPN networks.

On Friday, August 23, 2019, our honeypots detected additional mass scanning for CVE-2019-11510 from another host in Spain.

On Thursday, August 29, 2019, our honeypots detected mass scanning for vulnerable Fortinet and Pulse Secure VPN servers from a host in the United States.

The exploit activity detected from hosts in Spain attempted to download the “etc/passwd” file which contains the usernames associated with the VPN server (not client accounts). In all cases, a successful “HTTP 200/OK” response to this scan indicates the endpoint is vulnerable to further attacks. Given the ongoing scanning activity, it’s likely attackers have enumerated all publicly accessible Pulse Secure VPN servers vulnerable to CVE-2019-11510.

How many hosts are vulnerable to CVE-2019-11510?

Using data provided by BinaryEdge, we scanned 41,850 Pulse Secure VPN endpoints to ascertain which were vulnerable. On Saturday, August 24, 2019, our scans found a total of 14,528 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510. No sensitive information was disclosed or recorded during our scans as we simply sent a HEAD HTTP request (unlike a GET request that downloads a file) to confirm the arbitrary file reading vulnerability was possible.

Where are the vulnerable hosts located?

Vulnerable hosts were found in 121 countries around the world.

Hosts vulnerable to CVE-2019-11510 by country
Hosts vulnerable to CVE-2019-11510 by country

This interactive map shows the total vulnerable hosts found per country. Overall, the most vulnerable Pulse Secure VPN endpoints were located in the United States.

Which organizations are affected by CVE-2019-11510?

2,535 unique autonomous systems (network providers) were found to have vulnerable Pulse Secure VPN endpoints on their network. We’ve discovered this vulnerability currently affects:

  • U.S. military, federal, state, and local government agencies
  • Public universities and schools
  • Hospitals and health care providers
  • Electric and gas utilities
  • Major financial institutions
  • News / Media corporations
  • Numerous Fortune 500 companies

The list of affected organizations will not be published because this critical vulnerability is easy to exploit using publicly available proof-of-concept code.

Additionally, further exploitation of this vulnerability could allow remote code execution (RCE) on the clients connecting to a compromised VPN server. This technique could be used to spread ransomware and any other type of malware on sensitive networks.

Closing Remarks

Pulse Secure VPN administrators need to immediately ensure they’re not using versions of the “Pulse Connect Secure” server software vulnerable to CVE-2019-11510. Pulse Secure has provided guidance on how to update to fixed versions. There is no workaround for this vulnerability. Given the severity of this sensitive information disclosure vulnerability coupled with the risk of unauthorized access to private networks – there is little time to update before threat actors engage in further malicious activity.

Due to the sensitive nature of these vulnerabilities, the IP addresses of the affected Pulse Secure VPN endpoints will not be published publicly. However, the list is freely available for authorized government CERT and CSIRT teams to review. We’ve shared our findings directly with US-CERT (CISA) and other U.S. federal law enforcement agencies for further investigation and remediation.

We’ve also notified these organizations: A-ISAC, ACSC, aeCERT, AusCERT, CCCS, CERT-Bund, CERT-FR, CERTGOVIL, CERT-In, CERT POLSKA, CIRCL.LU, CITC-SA, colCERT, E-ISAC, EG-CERT, GovCERT.ch, GovCERT.gv.at, GovCERT.HK, GOVCERT.LU, H-ISAC, IL-CERT, JPCERT/CC, KN-CERT, KPN-CERT, MS-ISAC, MSRC, NCSC, NCSC-IE, NCSC-NL, Q-CERT, REN-ISAC, SingCERT, ThaiCERT, TR-CERT, TWCERT/CC, TWNCERT, and VNCERT.

Additional Updates

On Saturday, August, 31, 2019, we conducted another round of vulnerability scanning and found 10,471 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Monday, September 1, 2019, JPCERT/CC published an advisory urging Pulse Secure VPN server administrators to the update to the latest version as soon as possible. We thank JPCERT/CC for their assistance in notifying vulnerable organizations in Japan.

On Thursday, September 5, 2019, our honeypots detected mass scanning for CVE-2019-11510 from two hosts in Germany. The exploit activity attempted to download the “etc/hosts” file which contains the internal hostnames and IP addresses associated with the VPN server.

On Friday, September 6, 2019, our honeypots detected mass scanning for CVE-2019-11510 from a host in Estonia. The exploit activity attempted to download the “etc/passwd” file which contains the usernames associated with the Pulse Secure VPN server.

On Saturday, September 7, 2019, our honeypots detected mass scanning for CVE-2019-11510 from another host in Estonia.

On Sunday, September 8, 2019, our honeypots detected mass scanning for CVE-2019-11510 from yet another host in Estonia. This was the third time we detected exploit activity originating from the network of “FASTVPS” (AS198068).

Between Sunday, September, 8, 2019 and Monday, September, 9, 2019 we conducted another round of CVE-2019-11510 vulnerability scanning and found 9,002 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Monday, September, 16, 2019, we performed additional CVE-2019-11510 vulnerability scans and found 7,712 vulnerable Pulse Secure VPN servers. Our results are freely available for authorized CERT, CSIRT, and ISAC teams to review. Please submit a request here and provide the country, ASN, or domain names of your constituency.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.