The The Transform Technology Summits begin October 13 with Low-Code / No Code: Enabling Enterprise Agility. Register now!
The vulnerabilities of SSL VPN products are among the most exploited by attackers for initial access to target networks, acting as a gateway to exploitation. Earlier this year, Tenable Research named three VPN vulnerabilities as part of its top five vulnerabilities for 2020. Although all three vulnerabilities (CVE-2019-19781, CVE-2019-11510, CVE-2018-13379) were disclosed in 2019 and corrected by January 2020, they continue to be routinely operated for more than half of 2021.
Based on Tenable Research’s analysis of vendor reviews, government warnings, and industry data, the team reexamined how attackers have historically exploited these vulnerabilities, along with new reports of attacks, in 2021.
Several threat groups are known to exploit CVE-2019-19781 – a path or directory traversal flaw in Citrix ADC, Gateway and SD-WAN WANOP products to target the healthcare industry. Most recently, attackers indicated their preference for this vulnerability in online forums between January 2020 and March 2021, as it was the most mentioned CVE on Russian and English-speaking dark web forums.
In April 2019, Pulse Secure released an out-of-band security advisory to address multiple vulnerabilities in its Pulse Connect Secure SSL VPN solution. Most notable, CVE-2019-11510, an arbitrary file disclosure vulnerability was assigned a maximum CVSSv3 score of 10.0. Fast forward to Q1 2021 – a report from Nuspire showed a 1,527% increase in attempts to exploit CVE-2019-11510 against vulnerable Pulse Connect Secure SSL VPNs. There are also at least 16 malware families that have been developed to exploit vulnerabilities in Pulse Connect Secure.
In May 2019, Fortinet fixed a directory traversal vulnerability in its FortiOS SSL VPN, which allows an unauthenticated attacker to access arbitrary system files using specially crafted HTTP requests. Now, attacks exploiting the bug have increased by 1,916% in the first quarter of 2021. Even further, an April report from Kaspersky ICS CERT found that threat actors were using it as an entry point into a network company to deploy Cring ransomware.
Since SSL VPNs provide a virtual gateway to organizations, ransomware groups will continue to target these unpatched vulnerabilities until organizations take action to strengthen these entry points by patching vulnerabilities in SSL VPN products. .
Read the full Tenable Research report.
VentureBeat’s mission is to be a digital public place for technical decision-makers to learn about transformative technology and conduct transactions. Our site provides essential information on data technologies and strategies to guide you in managing your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the topics that interest you
- our newsletters
- Closed thought leader content and discounted access to our popular events, such as Transform 2021: Learn more
- networking features, and more
Become a member