Organizations that have not yet installed the latest version of Pulse Secure VPN have good reason to stop dithering – a code execution vulnerability that could allow an attacker to take control of networks using the product.
Tracked as CVE-2020-8218, the vulnerability requires an attacker to have administrative privileges on the computer running the VPN. Researchers at GoSecure, the company that discovered the bug, came up with a simple way to overcome this hurdle: trick an administrator into clicking on a malicious link contained in an email or other type of message is embedded.
The phishing season has now officially started
“Although authentication is required,” wrote GoSecure researcher Jean-Frédéric Gauron in a post referring to the exploit, “the fact that it can be triggered by a simple phishing attack on the right victim should be sufficient evidence for this vulnerability. " cannot be ignored. "
While phishing attacks are old, they are one of the most effective ways to defend not only consumers but Fortune 500 and government organizations as well. Given the current work-from-home regime caused by the COVID-19 pandemic, the stakes are even higher.
Last month, attackers took control of Twitter's internal systems by using detailed personal information from social media websites to trick a remote worker into entering credentials on a fake page. According to KrebsOnSecurity, the FBI and the Cybersecurity and Infrastructure Security Agency recently warned that similar attacks are taking place across the country.
VPNs, short for Virtual Private Networks, enable companies to cryptographically authenticate employees who connect to the network and to encrypt all communications. In the past 18 months, VPNs have proven to be a key opening for hackers to penetrate carefully protected network perimeters.
A favorite destination
Last year, attackers behind the REvil ransomware gained access to the Travelex money exchange network, most likely through one or more critical security holes in Pulse Secure that administrators had not patched. The hack occurred eight months after patches were released and four months after warnings. The vulnerability has been actively exploited on computers that have not been patched. It was a costly oversight for Travelex. According to the BBC, the attackers demanded $ 6 million to restore the company's data.
Earlier this year, a number of in-the-wild attacks exploited zero-day flaws in a Citrix VPN until the company could fix them.
In a post published Wednesday, Gauron said CVE-2020-8218 was one of four vulnerabilities discovered in the Pulse Secure VPN. The company reported it in mid-June, and Pulse Secure released a patch four weeks ago.
Business researcher Julien Pineault said in an email that GoSecure found the vulnerabilities on behalf of a customer who wanted to test whether the new Pulse Secure VPN deployment was vulnerable to existing attacks. After discovering a command injection bug, they examined this post by researcher Orange Tsai for clues on how to bypass security measures that Pulse Secure developers had put in place.
Due to the customer loyalty, GoSecure could not actually penetrate the network. However, they were able to confirm that such an attack was possible in a laboratory setting.
According to Pineault, CVE-2020-8218 is the most serious of the four vulnerabilities his company has found. He said GoSecure planned to provide details of other vulnerabilities once Pulse Secure fixed them.
CVE-2020-8218 is fixed in version 9.1R8 of Pulse Connect. Given the industry's poor track record of patching and the dire consequences it has, this is well worth checking out.