Pulse Secure and Fortinet have announced advisories detailing a critical vulnerability found that enables an unauthenticated user to conduct file disclosure in SSL VPN. Thanks to Detectify Crowdsource hackers, Detectify checks your website for these vulnerabilities and will alert you if your version of Pulse Secure or Fortinet gateway is affected.
Pulse Secure released a group of medium to critical vulnerability patches on August 20th. This includes CVE-2019-11510 Pulse Secure SSL VPN File Disclosure and this has been rated as critical by Pulse Secure.
The same exploit is also applicable to Fortinet’s VPN and another vulnerability is known called CVE-2018-13379: Fortinet VPN Path Traversal. You can view their security advisory here.
What can happen if I’m vulnerable?
There are several issues identified and amongst the severe is the possibility for an unauthenticated user to perform a remote arbitrary file access on the Pulse Connect Secure gateway.
In the case of CVE-2019-11510 Pulse Secure SSL VPN File Disclosure and CVE-2018-13379 Fortinet VPN Path Traversal, the attacker is able to read files on the compromised device, including sensitive user information. We received several reports from our Detectify Crowdsource hackers, and in one report the actor was able to retrieve user passwords in clear text.
How was this reported to Detectify?
On August 10th 2019, during the Black Hat and DEFCON conferences, security researchers Orange Tsai and Meh Chang disclosed their research and discovery of pre-auth RCE on multiple leading SSL VPNs. Their security research original discovered several high risk and critical vulnerabilities in Pulse Secure. With this, a working POC was made public to the audience and some of our Detectify Crowdsource hackers were quick to learn from this documentation and submit various working POCS with exploitable payloads to us.
The first submission for CVE-2019-11510 – Pulse Secure Arbitrary File Reading, was received by Detectify Crowdsource after Orange Tsai and Meh Chang’s presentation slides were released on August 10th. Following this, we received further reports including one with an exploitable payload and this further enhanced the modules released today.
Who is affected by this vulnerability?
Sites running one of these versions of Pulse Secure are affected:
- Pulse Connect Secure 9.0R1 – 9.0R3.3
- Pulse Connect Secure 8.3R1 – 8.3R7
- Pulse Connect Secure 8.2R1 – 8.2R12
- Pulse Connect Secure 8.1R1 – 8.1R15
- Pulse Policy Secure 9.0R1 – 9.0R3.3
- Pulse Policy Secure 5.4R1 – 5.4R7
- Pulse Policy Secure 5.3R1 – 5.3R12
- Pulse Policy Secure 5.2R1 – 5.2R12
- Pulse Policy Secure 5.1R1 – 5.1R15
For Fortinet users, these versions are affected:
- FortiOS 5.6.3 to 5.6.7
- FortiOS 6.0.0 to 6.0.4
- ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.
What should I do if I see this finding in my Detectify report?
Immediately apply the appropriate patch.
Pulse secure has released patches for the versions listed in the advisory post, and recommend immediate patching due to the critical severity of this vulnerability. Note that Pulse Connect Secure and Pulse Policy Secure 9.1R1 and above are not impacted.
For Fortinet users, they recommend that all users upgrade to FortiOS 5.6.8, 6.0.5 or 6.2.0
How does Detectify check for this?
A couple hours after Tsai and Chang published their Black Hat talk slides online, Detectify received a working proof of concept for both Pulse Secure and Fortinet vulnerabilities through from one of our Detectify Crowdsource white hat hackers.
Several other reports followed this including a exploit-capable payload, which we validated and built into our scanner. This means that we can check for the actual vulnerability rather than doing a version check, leading to a more accurate result.
Detectify is a continuous web scanner monitor service that can be set up for automated scanning for 1500+ known vulnerabilities including the OWASP Top 10 and SSL VPN vulnerabilities. Start your free 14-day trial today and check for the latest vulnerabilities!