Hackers are scanning the web for vulnerable Fortinet, Pulse Secure Products installs

Hackers are exploiting recently disclosed flaws in enterprise virtual private network (VPN) products from Fortinet and Pulse Secure.

The popular cybersecurity expert Kevin Beaumont has observed threat actors attempting to exploit the CVE-2018-13379 in the FortiOS SSL VPN web portal and CVE-2019-11510 flaw in Pulse Connect Secure.

The CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal that could be exploited by an unauthenticated attacker to download FortiOS system files.

“A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.” reads the security advisory.

The CVE-2019-11510 flaw in Pulse Connect Secure is a critical arbitrary file read vulnerability.

“Unauthenticated remote attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability.” reads the advisory.

The vulnerabilities were first reported in July by researchers Orange Tsai and Meh Chang from DEVCORE that found several flaws in Fortinet, Palo Alto Networks and Pulse Secure products. The issues could be exploited by threat actors to access corporate networks and steal sensitive documents.

The security duo shared the results of their analysis at the Black Hat and DEFCON hacking conferences and proof-of-concept (PoC) exploits were publicly disclosed after their talks.

Even if the impacted vendors have released security advisories for the vulnerabilities discovered by the experts, attackers are attempting to exploit them in attacks in the wild.

Beaumont pointed out that an attacker could exploit the CVE-2018-13379 flaw to obtain administrator credentials in plain text, using the binaryedge online scanner he also found nearly half a million IP addresses associated with Fortinet devices exposed online.

Beaumont detected scanning activity aimed at vulnerable Fortinet systems on August 21, while he spotted threat actors targeting Pulse Secure systems on August 22.

Clearly, it is important that admins will apply security patches released by vendors as soon as possible to mitigate possible attacks.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Pulse Security Products, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]