Hundreds of British organisations are vulnerable to VPN attacks being launched by sophisticated Advanced Persistent Threat (APT) actors, who are actively exploiting vulnerabilities in a trio of commercial VPN products, the NCSC has warned.
The organisation, overseen by GCHQ, warned: “This activity is ongoing, targeting both UK and international organisations. Affected sectors include government, military, academic, business and healthcare. These vulnerabilities are well documented in open source, and industry data indicates that hundreds of UK hosts may be vulnerable.”
VPN Attacks Allow “Secondary Exploits Aimed at Accessing a Root Shell”
The warning last week comes three months after the US’s Department of Homeland Security highlighted the vulnerabilities in Fortinet, Palo Alto and Pulse VPN products, warning that “A remote attacker could… take control of an affected system”.
The highest-impact vulnerabilities known to be exploited by APTs are listed below, although this is not an exhaustive list of CVEs associated with these products.
Sample exploit code for these vulnerabilities is publicly available online. The NCSC cautions against testing infrastructure with untrusted third-party code.
The main CVEs being exploited are the following:
Pulse Connect Secure:
- CVE-2018-13379: Pre-auth arbitrary file reading
- CVE-2018-13382: Allows an unauthenticated attacker to change the password of an SSL VPN web portal user.
- CVE-2018-13383: Post-auth heap overflow. This allows an attacker to gain a shell running on the router.
- CVE-2019-1579: Palo Alto Networks GlobalProtect Portal
The NCSC said: “Vulnerabilities exist in several SSL VPN products which allow an attacker to retrieve arbitrary files, including those containing authentication credentials.A n attacker can use these stolen credentials to connect to the VPN and change configuration settings, or connect to further internal infrastructure.
“Unauthorised connection to a VPN could also provide the attacker with the privileges needed to run secondary exploits aimed at accessing a root shell.”
All three products have been patched by the vendors and the NCSC noted that simplest option to improve security is to “apply the latest security patches released by vendors”.
David Grout, CTO of EMEA at FireEye noted: “Organisations need to patch as soon as possible as these two vulnerabilities are already heavily exploited in the field and the exploits are available for download. The vulnerabilities were first presented at BlackHat in August this year and we have observed multiple campaigns exploiting them in recent weeks. Attackers can use the vulnerabilities to obtain access to VPN gateway accounts, which means they can change them or to get access to the victim’s networks.”
He added, in line with the NCSC’s advice: “In the meantime organisations should review all of their logs and look for abnormal activities on their devices. If possible, they should reset authentication on all impacted devices and I’d strongly encourage customers using these VPNs to deploy multi-factor authentication to limit password reuse attacks.”