Vulnerabilities in SSL VPN products are some of the most exploited by attackers for initial access to target networks, acting as a doorway for exploitation. Earlier this year, Tenable Research named three VPN vulnerabilities as part of its Top Five Vulnerabilities of 2020. Although all three vulnerabilities (CVE-2019-19781, CVE-2019-11510, CVE-2018-13379) were disclosed in 2019 and patched by January 2020, they continue to be routinely exploited more than halfway through 2021.
Based on Tenable Research’s analysis of vendor advisories, government warnings, and industry data, the team re-examined how attackers have historically exploited these vulnerabilities, along with new reports of attacks, in 2021.
Several threat groups have been known to leverage CVE-2019-19781 — a path or directory traversal flaw in Citrix ADC, Gateway and SD-WAN WANOP products to target the healthcare industry. More recently, attackers have indicated their preference for this vulnerability in online forums between January 2020 and March 2021, as it was the top mentioned CVE on Russian and English-speaking dark web forums.
In April 2019, Pulse Secure released an out-of-band security advisory to address multiple vulnerabilities in its Pulse Connect Secure SSL VPN solution. The most notable one, CVE-2019-11510, an arbitrary file disclosure vulnerability was assigned the maximum CVSSv3 score of 10.0. Fast forward to Q1 2021 — a report from Nuspire showed a 1,527% increase in attempts to exploit CVE-2019-11510 against vulnerable Pulse Connect Secure SSL VPNs. There are also at least 16 malware families that have been developed to exploit vulnerabilities in Pulse Connect Secure.
In May 2019, Fortinet patched a directory traversal vulnerability in their FortiOS SSL VPN, which allows an unauthenticated attacker to access arbitrary system files using crafted HTTP requests. Now, attacks leveraging the bug increased 1,916% in Q1 2021. Even further, an April report from Kaspersky ICS CERT revealed that threat actors used it as an entry point into an enterprise network to deploy Cring ransomware.
Because SSL VPNs provide a virtual doorway into organizations, ransomware groups will continue to target these unpatched flaws until organizations take steps to reinforce these entry points by patching vulnerabilities in SSL VPN products.
Read the full report by Tenable Research.
VentureBeatVentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more