On Thursday, August 22, 2019, our honeypots detected opportunistic mass scanning activity from a host in Spain targeting Pulse Secure “Pulse Connect Secure” VPN server endpoints vulnerable to CVE-2019-11510. This arbitrary file reading vulnerability allows sensitive information disclosure enabling unauthenticated attackers to access private keys and user passwords. Further exploitation using the leaked credentials can lead to remote command injection (CVE-2019-11539) and allow attackers to gain access inside private VPN networks.
⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️
Mass scanning activity detected from 2.137.127.2 (🇪🇸) checking for @pulsesecure Pulse Connect Secure VPN endpoints vulnerable to arbitrary file reading (CVE-2019-11510).#threatintel pic.twitter.com/fiRUMKjwbE— Bad Packets Report (@bad_packets) August 22, 2019
On Friday, August 23, 2019, our honeypots detected additional mass scanning for CVE-2019-11510 from another host in Spain.
⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️
Mass scanning activity detected from 81.40.150.167 (🇪🇸) checking for @pulsesecure Pulse Connect Secure VPN endpoints vulnerable to arbitrary file reading (CVE-2019-11510) that allows sensitive information disclosure.#threatintel pic.twitter.com/vYEJ1Coa38— Bad Packets Report (@bad_packets) August 23, 2019
On Thursday, August 29, 2019, our honeypots detected mass scanning for vulnerable Fortinet and Pulse Secure VPN servers from a host in the United States.
⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️
Mass scanning activity detected from 209.217.227.186 (🇺🇸) attempting to exploit Pulse Secure VPN servers (CVE-2019-11510) and Fortinet FortiGate VPN servers (CVE-2018-13379) vulnerable to sensitive information disclosure.#threatintel pic.twitter.com/UQkgUPSkKo— Bad Packets Report (@bad_packets) August 30, 2019
The exploit activity detected from hosts in Spain attempted to download the “etc/passwd” file which contains the usernames associated with the VPN server (not client accounts). In all cases, a successful “HTTP 200/OK” response to this scan indicates the endpoint is vulnerable to further attacks. Given the ongoing scanning activity, it’s likely attackers have enumerated all publicly accessible Pulse Secure VPN servers vulnerable to CVE-2019-11510.
How many hosts are vulnerable to CVE-2019-11510?
Using data provided by BinaryEdge, we scanned 41,850 Pulse Secure VPN endpoints to ascertain which were vulnerable. On Saturday, August 24, 2019, our scans found a total of 14,528 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510. No sensitive information was disclosed or recorded during our scans as we simply sent a HEAD HTTP request (unlike a GET request that downloads a file) to confirm the arbitrary file reading vulnerability was possible.
Where are the vulnerable hosts located?
Vulnerable hosts were found in 121 countries around the world.
This interactive map shows the total vulnerable hosts found per country. Overall, the most vulnerable Pulse Secure VPN endpoints were located in the United States.
Which organizations are affected by CVE-2019-11510?
2,535 unique autonomous systems (network providers) were found to have vulnerable Pulse Secure VPN endpoints on their network. We’ve discovered this vulnerability currently affects:
- U.S. military, federal, state, and local government agencies
- Public universities and schools
- Hospitals and health care providers
- Electric and gas utilities
- Major financial institutions
- News / Media corporations
- Numerous Fortune 500 companies
The list of affected organizations will not be published because this critical vulnerability is easy to exploit using publicly available proof-of-concept code.
Additionally, further exploitation of this vulnerability could allow remote code execution (RCE) on the clients connecting to a compromised VPN server. This technique could be used to spread ransomware and any other type of malware on sensitive networks.
Closing Remarks
Pulse Secure VPN administrators need to immediately ensure they’re not using versions of the “Pulse Connect Secure” server software vulnerable to CVE-2019-11510. Pulse Secure has provided guidance on how to update to fixed versions. There is no workaround for this vulnerability. Given the severity of this sensitive information disclosure vulnerability coupled with the risk of unauthorized access to private networks – there is little time to update before threat actors engage in further malicious activity.
Due to the sensitive nature of these vulnerabilities, the IP addresses of the affected Pulse Secure VPN endpoints will not be published publicly. However, the list is freely available for authorized government CERT and CSIRT teams to review. We’ve shared our findings directly with US-CERT (CISA) and other U.S. federal law enforcement agencies for further investigation and remediation.
We’ve also notified these organizations: A-ISAC, ACSC, aeCERT, AusCERT, CCCS, CERT-Bund, CERT-FR, CERTGOVIL, CERT-In, CERT POLSKA, CIRCL.LU, CITC-SA, colCERT, E-ISAC, EG-CERT, GovCERT.ch, GovCERT.gv.at, GovCERT.HK, GOVCERT.LU, H-ISAC, IL-CERT, JPCERT/CC, KN-CERT, KPN-CERT, MS-ISAC, MSRC, NCSC, NCSC-IE, NCSC-NL, Q-CERT, REN-ISAC, SingCERT, ThaiCERT, TR-CERT, TWCERT/CC, TWNCERT, and VNCERT.
Additional Updates
On Saturday, August, 31, 2019, we conducted another round of vulnerability scanning and found 10,471 Pulse Secure VPN servers worldwide remain vulnerable to compromise.
Total vulnerable Pulse Secure VPN servers by country:
🇺🇸 United States: 3,481
🇯🇵 Japan: 1,381
🇬🇧 United Kingdom: 664
🇫🇷 France: 418
🇩🇪 Germany: 400
🇳🇱 Netherlands: 283
🇰🇷 South Korea: 258
🇧🇪 Belgium: 252
🇮🇱 Israel: 225
🇨🇭 Switzerland: 213
All others: 2,896https://t.co/HVXWLcJZj1— Bad Packets Report (@bad_packets) September 1, 2019
On Monday, September 1, 2019, JPCERT/CC published an advisory urging Pulse Secure VPN server administrators to the update to the latest version as soon as possible. We thank JPCERT/CC for their assistance in notifying vulnerable organizations in Japan.
"On August 31, 2019, according to Bad Packets, 10,471 hosts were confirmed to be vulnerable, and 1,381 of them were hosts in Japan. Upon receiving this report, JPCERT/CC started contacting administrators of these hosts." https://t.co/u9nXD8yiDS
— Bad Packets Report (@bad_packets) September 3, 2019
On Thursday, September 5, 2019, our honeypots detected mass scanning for CVE-2019-11510 from two hosts in Germany. The exploit activity attempted to download the “etc/hosts” file which contains the internal hostnames and IP addresses associated with the VPN server.
⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️
Mass scanning activity detected from 164.68.123.63 (🇩🇪) and 5.189.137.92 (🇩🇪) attempting to exploit Pulse Secure VPN servers vulnerable to arbitrary file read (CVE-2019-11510) leading to sensitive information disclosure of user credentials.#threatintel pic.twitter.com/7uuarIUwWW— Bad Packets Report (@bad_packets) September 5, 2019
On Friday, September 6, 2019, our honeypots detected mass scanning for CVE-2019-11510 from a host in Estonia. The exploit activity attempted to download the “etc/passwd” file which contains the usernames associated with the Pulse Secure VPN server.
⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️
Mass scanning activity detected from 5.101.181.41 (🇪🇪) attempting to exploit Pulse Secure VPN servers vulnerable to arbitrary file read (CVE-2019-11510) leading to disclosure of user credentials and other sensitive information.#threatintel pic.twitter.com/qQg6Zj44gF— Bad Packets Report (@bad_packets) September 6, 2019
On Saturday, September 7, 2019, our honeypots detected mass scanning for CVE-2019-11510 from another host in Estonia.
⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️
Mass scanning activity detected from 5.101.180.68 (🇪🇪) attempting to exploit Pulse Secure VPN servers vulnerable to unauthenticated arbitrary file read (CVE-2019-11510) leading to disclosure of user credentials and other sensitive information.#threatintel pic.twitter.com/t7pMQrGBAl— Bad Packets Report (@bad_packets) September 7, 2019
On Sunday, September 8, 2019, our honeypots detected mass scanning for CVE-2019-11510 from yet another host in Estonia. This was the third time we detected exploit activity originating from the network of “FASTVPS” (AS198068).
⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️
Mass scanning activity detected from 5.101.181.111 (🇪🇪) attempting to exploit Pulse Secure VPN servers vulnerable to unauthenticated arbitrary file read (CVE-2019-11510) leading to disclosure of user passwords and private keys.#threatintel pic.twitter.com/aZuZkLHKtM— Bad Packets Report (@bad_packets) September 8, 2019
Between Sunday, September, 8, 2019 and Monday, September, 9, 2019 we conducted another round of CVE-2019-11510 vulnerability scanning and found 9,002 Pulse Secure VPN servers worldwide remain vulnerable to compromise.
On Monday, September, 16, 2019, we performed additional CVE-2019-11510 vulnerability scans and found 7,712 vulnerable Pulse Secure VPN servers. Our results are freely available for authorized CERT, CSIRT, and ISAC teams to review. Please submit a request here and provide the country, ASN, or domain names of your constituency.