NSA Is Latest Intelligence Agency to Sound VPN Patch AlarmNot Just Patch or Perish, But Also Pay Attention, Security Experts Warn
If one of your nation's intelligence agencies issues a cybersecurity alert, pay attention.
See Also: 2022 Voice of the CISO
That's because warnings from the U.S. National Security Agency, U.K.'s GCHQ and the Canadian Center for Cyber Security, as well as law enforcement agencies with cyberattack investigation responsibilities, rarely get issued unless there have already been a string of victims and attacks are continuing.
That's what I've been hearing from security experts about the increased pace of alerts being issued by intelligence agencies (see: Report: UK Universities Vulnerable to Cyberattacks).
Add to that list the NSA this week joining mounting warnings that nation-state attackers are continuing to target and exploit flaws in three types of VPN servers built by Fortinet, Palo Alto Networks and Pulse Secure (see: Chinese APT Group Began Targeting SSL VPN Flaws in July).
"Multiple nation-state advanced persistent threat (APT) actors have weaponized CVE-2019-11510, CVE-2019-11539, and CVE-2018-13379 to gain access to vulnerable VPN devices," the NSA's alert warns, referring to two flaws in the firmware that runs Pulse Connect Secure devices and one in the firmware for Fortinet devices.
The NSA alert follow Britain's National Cyber Security Center - part of GCHQ - issuing a similar alert last week (see: Unpatched VPN Servers Targeted by Nation-State Attackers).
As with NCSC, the NSA warns that attackers are actively exploiting flaws in three major VPN products: Pulse Secure, Palo Alto GlobalProtect and Fortinet Fortigate.
Canadian intelligence has already issued indicators of compromise that organizations can use to help spot these attacks. The NSA says its guidance is meant to augment that by helping organizations recover from a compromise as well as better harden their VPN servers against future attacks.
Palo Alto released updates in July that included patches for the targeted flaws, but it did not issue a security alert to customers advising them to patch. Meanwhile, Pulse Secure released patches for Pulse Connect Secure, previously known as Juniper SSL Virtual Private Network, in April, and Fortinet released updates to patch flaws in FortiOS in April and May. Both of those vendors have also issued security alerts to customers.
But thousands of servers have still not yet been patched (see: Hackers Hit Unpatched Pulse Secure and Fortinet SSL VPNs).
Total vulnerable Pulse Secure VPN servers by country:— Bad Packets Report (@bad_packets) October 8, 2019
United States: 2,017
United Kingdom: 438
South Korea: 259
Hong Kong: 120
All others: 1,529https://t.co/EC1SgikDFc
Pulse Connect Secure
The Pulse Connect Secure flaws involve:
The NSA recommends immediate updating to patch them, as well as hardening servers to make these type of vulnerabilities more difficult to exploit. In particular, it recommends organizations use mutual certificate-based authentication, which can block attackers from targeting flaws such as these that can be exploited via HTTP. "With mutual certificate-based authentication, the VPN web application requires any connecting clients to first authenticate using a client certificate that lets the VPN web application ensure the client is legitimate and allowed to access the VPN web application," it says.
Palo Alto GlobalProtect
Palo Alto VPN servers must be patched to fix this flaw:
- CVE-2019-1579: Palo Alto Networks GlobalProtect Portal.
The flaw "allows remote code execution and is being exploited in the wild, according to researchers," the NSA's alert reads. "Upgrade devices to the latest version."
The NSA alert notes that vulnerabilities in Fortinet Fortigate VPN devices are also being actively exploited, including CVE 2018-13379.
- CVE-2018-13379: Pre-auth arbitrary file reading;
- CVE-2018-13382: Allows an unauthenticated attacker to change the password of an SSL VPN web portal user;
- CVE-2018-13383: Post-auth heap overflow. This allows an attacker to gain a shell running on the router.
"Upgrading to the latest version will remove the vulnerabilities," the NSA alert says.
Echoing NCSC's advice, NSA recommends that after updating a vulnerable device, organizations should assume they were exploited and credentials stolen, and that new user, administrator or service accounts may have been created, which would still be valid.
Accordingly, the NSA recommends that IT administrators:
- Update credentials: "Immediately update VPN user, administrator, and service account credentials."
- Revoke keys and certificates: "Immediately revoke and generate new VPN server keys and certificates. This may require redistributing VPN connection information to users."
- Review accounts: "If compromise is suspected, review accounts to ensure no new accounts were created by adversaries."
The NSA alert also includes 13 recommendations for hardening all types of VPN servers to foil attacks as well as enable post-breach incident responders to better ascertain how and when successful attacks might have occurred. For example, the NSA recommends that organizations carefully monitor VPN access and "enable logging to record and track VPN user activity, including authentication and access attempts, configuration changes and network traffic metadata - e.g. IP addresses, ports, protocols and sessions."
Practice Vulnerability Management
Organizations using any of the vulnerable VPN servers will ideally have patched them long ago. But the continuing alerts from intelligence agencies highlight how that isn't so.
This week, Troy Mursch of Chicago-based threat intelligence firm Bad Packets reported that internet scans have found more than 6,000 Pulse Secure VPN servers with login pages accessible via HTTP that are vulnerable to CVE-2019-11510. The greatest concentration of them are in the United States.
Earlier this week, incident response expert David Stubley told me that many more Fortinet devices remain vulnerable to CVE-2018-13379 - designated FG-IR-18-384 by the vendor - which enable attackers to easily swipe plaintext passwords and usernames.
Stubley, who heads Edinburgh, Scotland-based security testing firm and consultancy 7 Elements, says that as of Wednesday, his internet scans have counted 206,000 Fortinet VPN servers globally that have HTTP-accessible login pages, of which 22,000 appear to be vulnerable - down only slightly from 26,000 a few weeks ago - including 617 now in the U.K.
Stubley says these types of flaws highlight the need for organizations to practice robust vulnerability and patch management, as well as to ensure they have in-house or outsourced expertise on hand to properly prioritize what to patch and when.
In part, that's because the flaws now being cited by the NSA and others as being actively targeted by foreign intelligence agencies were not all labeled in vulnerability designations as posing a critical risk.
"During a recent monthly scan for one of our customers, we identified the medium-impact Fortigate VPN issue being present. But the attack-led knowledge of our team, responsible for validating these types of issues, quickly identified that the vulnerability has a critical level of risk, because it could be used to trivially extract valid usernames and passwords," he says. "We informed the client directly about the exposure and they were able to remediate it within two hours of being notified." Timing-wise, that was three weeks before NCSC issued its alert, and four weeks before the NSA released its guidance.
So while "patch or perish" remains paramount, so too does paying attention to the nuances of the devices you're using, how they might be compromised, and using that information to prioritize what to patch and when.