Over 14,500 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510

by

On Thursday, August 22, 2019, our honeypots detected opportunistic mass scanning activity from a host in Spain targeting Pulse Secure “Pulse Connect Secure” VPN server endpoints vulnerable to CVE-2019-11510. This arbitrary file reading vulnerability allows sensitive information disclosure enabling unauthenticated attackers to access private keys and user passwords. Further exploitation using the leaked credentials can lead to remote command injection (CVE-2019-11539) and allow attackers to gain access inside private VPN networks.

On Friday, August 23, 2019, our honeypots detected additional mass scanning for CVE-2019-11510 from another host in Spain.

On Thursday, August 29, 2019, our honeypots detected mass scanning activity checking for vulnerable Fortinet and Pulse Secure VPN servers from a host in the United States.

The exploit activity detected from hosts in Spain attempted to download the “etc/passwd” file which contains the usernames associated with the VPN server (not client accounts). In all cases, a successful “HTTP 200/OK” response to this scan indicates the endpoint is vulnerable to further attacks. Given the ongoing scanning activity, it’s likely attackers have enumerated all publicly accessible Pulse Secure VPN servers vulnerable to CVE-2019-11510.

How many hosts are vulnerable to CVE-2019-11510?

Using data provided by BinaryEdge, we scanned 41,850 Pulse Secure VPN endpoints to ascertain which were vulnerable. On Saturday, August 24, 2019, our scans found a total of 14,528 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510. No sensitive information was disclosed or recorded during our scans as we simply sent a HEAD HTTP request (unlike a GET request that downloads a file) to confirm the arbitrary file reading vulnerability.

Where are the vulnerable hosts located?

Vulnerable hosts were found in 121 countries around the world.

Hosts vulnerable to CVE-2019-11510 by country
Hosts vulnerable to CVE-2019-11510 by country

This interactive map shows the total vulnerable hosts found per country. Overall, the most vulnerable Pulse Secure VPN endpoints were located in the United States.

Which organizations are affected by CVE-2019-11510?

2,535 unique autonomous systems (network providers) were found to have vulnerable Pulse Secure VPN endpoints on their network. We’ve discovered this vulnerability currently affects:

  • U.S. military, federal, state, and local government agencies
  • Public universities and schools
  • Hospitals and health care providers
  • Electric and gas utilities
  • Major financial institutions
  • News / Media corporations
  • Numerous Fortune 500 companies

The list of affected organizations will not be published because this critical vulnerability is easy to exploit using publicly available proof-of-concept code.

Additionally, further exploitation of this vulnerability could allow remote code execution (RCE) on the clients connecting to a compromised VPN server. This technique could be used to spread ransomware and any other type of malware on sensitive networks.

Closing Remarks

Pulse Secure VPN administrators need to immediately ensure they’re not using versions of the “Pulse Connect Secure” server software vulnerable to CVE-2019-11510. Pulse Secure has provided guidance on how to update to fixed versions. There is no workaround for this vulnerability. Given the severity of this sensitive information disclosure vulnerability coupled with the risk of unauthorized access to private networks – there is little time to update before threat actors engage in further malicious activity.

Due to the sensitive nature of these vulnerabilities, the IP addresses of the affected Pulse Secure VPN endpoints will not be published publicly. However, the list is freely available for authorized government CERT, CSIRT, and ISAC teams to review.

We’ve shared our findings directly with US-CERT (CISA/DHS) and other U.S. federal law enforcement agencies for further investigation and remediation. Additionally, we’ve also notified these organizations: A-ISAC, ACSC, aeCERT, AusCERT, CCCS, CERT-Bund, CERT/CC, CERT.be, CERT-FR (ANSSI), CERTGOVIL, CERT-In, CERT Orange Cyberdefense, CERT POLSKA, CERT.PT, CERT NZ, CFCS-DK, CIRCL.LU, CITC-SA, colCERT, CNCERT/CC, E-ISAC, EG-CERT, FS-ISAC, GovCERT.ch, GovCERT.gv.at, GovCERT.HK, GOVCERT.LU, H-ISAC, IL-CERT, INCIBE-CERT, Janet CSIRT, JPCERT/CC, KN-CERT, KPN-CERT, MOD, MS-ISAC, MSRC, NAAEA, NCIIPC, NCFTA, NCIS, NCSC, NCSC-IE, NCSC-NL, Q-CERT, REN-ISAC, SingCERT, ThaiCERT, TR-CERT, TSA, TT-CSIRT, TWCERT/CC, TWNCERT, VNCERT, and Yoroi CERT.

Additional Updates

On Saturday, August, 31, 2019, we conducted another round of vulnerability scanning and found 10,471 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Monday, September 1, 2019, JPCERT/CC published an advisory urging Pulse Secure VPN server administrators to the update to the latest version as soon as possible. We thank JPCERT/CC for their assistance in notifying vulnerable organizations in Japan.

On Thursday, September 5, 2019, our honeypots detected mass scanning for CVE-2019-11510 from two hosts in Germany. The exploit activity attempted to download the “etc/hosts” file which contains the internal hostnames and IP addresses associated with the VPN server.

On Friday, September 6, 2019, our honeypots detected mass scanning for CVE-2019-11510 from a host in Estonia. The exploit activity attempted to download the “etc/passwd” file which contains the usernames associated with the Pulse Secure VPN server.

On Saturday, September 7, 2019, our honeypots detected mass scanning for CVE-2019-11510 from another host in Estonia.

On Sunday, September 8, 2019, our honeypots detected mass scanning for CVE-2019-11510 from yet another host in Estonia. This was the third time we detected exploit activity originating from the network of “FASTVPS” (AS198068).

On Sunday, September 22, 2019, our honeypots detected mass scanning activity targeting Pulse Secure VPN servers. This activity originated from a host in Russia and a Tor exit node in Sweden.

On Monday, September 23, 2019, mass scanning activity targeting Pulse Secure VPN servers over Tor continued.

On Monday, October 7, 2019, the NSA has published an advisory on how to mitigate threats targeting Pulse Secure and other enterprise-grade VPN servers.

Additionally, the NCSC has updated their advisory regarding APT activity targeting vulnerable VPN servers and included a link to our disclosure. We thank NCSC for their assistance in notifying impacted organizations in United Kingdom.

On Sunday, October 13, 2019, our honeypots detected opportunistic mass scanning activity from two Amazon Web Services EC2 instances checking for vulnerable Pulse Secure VPN servers.

In both cases, these hosts were exploiting CVE-2019-11510 to download the “/etc/passwd” file from targeted servers.

On Wednesday, October 16, 2019, CERT/CC published an advisory and timeline of specific events relating to CVE-2019-11510 which referenced our disclosure. We thank CERT/CC for their assistance in notifying organizations affected by this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) also published an advisory summarizing the multiple vulnerabilities affecting Pulse Secure VPN servers and they urge administrators to apply the necessary updates.

On Wednesday, November 6, 2019, our honeypots detected opportunistic mass scanning activity from an Amazon Web Services EC2 instance checking for Pulse Secure VPN servers vulnerable to CVE-2019-11510.

On Monday, December 16, 2019, our honeypots detected opportunistic mass scanning activity from an Amazon Web Services EC2 instance in Germany checking for Pulse Secure VPN servers vulnerable to CVE-2019-11510.

On Tuesday, January 7, 2020, our honeypots detected opportunistic mass scanning activity from multiple Linode hosts checking for Pulse Secure VPN servers vulnerable to CVE-2019-11510.

On Friday, January 10, 2020, CISA published an alert regarding the continued exploitation of CVE-2019-11510 and strongly urged affected organizations to patch their Pulse Secure VPN servers to fixed versions.

On Thursday, January 16, 2020, The Wall Street Journal published an investigative report detailing the ransomware attack targeting Travelex and other organizations that still hadn’t patched against CVE-2019-11510.

On Wednesday, March 25, 2020, JPCERT/CC published a summary report advising the remaining affected Pulse Secure VPN users in Japan to patch their vulnerable servers.

On Thursday, April 16, 2020, CISA released on open source tool, aptly named check-your-pulse, for reviewing Pulse Secure VPN server logs for indicators of compromise. CISA noted that organizations that already patched may have been compromised before doing so.

On Friday, April 24, 2020, our honeypots detected coordinated botnet mass scanning activity targeting ASUS routers, Citrix (NetScaler) VPN servers, Fortinet VPN servers, OpenWrt routers, Pulse Secure VPN servers, SMC routers, Ubiquiti routers, and Westell modems.

This botnet appeared to consist of compromised corporate (business) servers and customers of cloud providers – such as Alibaba, AWS, Azure, Google, Oracle, and others. Bad Packets® CTI users can query our API to receive a full list of compromised hosts that need immediate remediation.

Weekly CVE-2019-11510 Scan Results

Between Sunday, September 8, 2019 and Monday, September 9, 2019 we conducted another round of CVE-2019-11510 vulnerability scanning and found 9,002 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Monday, September 16, 2019, we performed additional CVE-2019-11510 vulnerability scans and found 7,712 vulnerable Pulse Secure VPN servers.

On Monday, September 23, 2019, we completed our weekly CVE-2019-11510 scans and found 7,081 vulnerable Pulse Secure VPN servers.

On Monday, September 30, 2019, we completed our weekly scans and found 6,527 vulnerable Pulse Secure VPN servers.

On Monday, October 7, 2019, we completed our weekly CVE-2019-11510 scans and found 6,018 vulnerable Pulse Secure VPN servers.

On Monday, October 14, 2019, we completed our weekly CVE-2019-11510 scans and found 5,640 Pulse Secure VPN servers worldwide remain vulnerable.

On Monday, October 21, 2019, we completed our ninth round of CVE-2019-11510 scans and found 5,285 vulnerable Pulse Secure VPN servers worldwide.

On Monday, October 28, 2019, we completed our tenth round of vulnerability scans and found 5,080 Pulse Secure VPN servers vulnerable to CVE-2019-11510.

On Monday, November 4, 2019, we conducted our eleventh round of vulnerability scans and found 4,889 vulnerable Pulse Secure VPN servers.

On Monday, November 11, 2019, we conducted our twelfth round of vulnerability scans and found 4,716 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Monday, November 18, 2019, we conducted our thirteenth round of vulnerability scans and found 4,538 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Friday, November 29, 2019, we conducted our fourteenth round of vulnerability scans and found 4,299 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Friday, December 6, 2019, we conducted our fifteenth round of vulnerability scans and found 4,182 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Friday, December 13, 2019, we conducted our sixteenth round of vulnerability scans and found 4,021 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Friday, December 20, 2019, we conducted our seventeenth round of vulnerability scans and found 3,905 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Friday, December 27, 2019, we conducted our eighteenth round of vulnerability scans and found 3,826 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Friday, January 3, 2020, we conducted our nineteenth round of vulnerability scans and found 3,825 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Friday, January 10, 2020, we conducted our twentieth round of vulnerability scans and found 3,623 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Friday, January 17, 2020, we conducted our twenty-first round of vulnerability scans and found 3,328 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Friday, January 24, 2020, we conducted our twenty-second round of vulnerability scans and found 3,149 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Friday, February 20, 2020, we conducted our twenty-third round of vulnerability scans and found 2,495 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Tuesday, March 3, 2020, we conducted our twenty-fourth round of vulnerability scans and found 2,322 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Tuesday, March 23, 2020, we conducted our twenty-fifth round of vulnerability scans and found 2,099 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

How to obtain our CVE-2019-11510 report

Our latest CVE-2019-11510 vulnerability scan results are freely available for authorized government CERT, ISAC, and law enforcement teams to review. Please submit a request here and provide the country, ASN, or domain names of your constituency.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.