James Thew - Fotolia
The U.S. National Security Agency warned that nation-state threat actors are actively exploiting several VPN vulnerabilities in products from Pulse Secure, Palo Alto Networks and Fortinet.
The NSA issued a cybersecurity advisory Monday urging users to patch and mitigate three previously disclosed VPN vulnerabilities that "multiple nation-state advanced persistent threat (APT) actors have weaponized." In the advisory, the NSA did not specify which nations or APT groups are exploiting the flaws, or for what purpose.
A separate advisory from the U.K.'s National Cyber Security Centre (NCSC) issued last week said "the activity is ongoing, targeting both U.K. and international organizations" in various sectors, including government, military, academic, business and healthcare. The NCSC also said hundreds of VPN hosts in the U.K. could be vulnerable to these attacks.
The VPN vulnerabilities under exploit include two remote code execution flaws -- CVE-2019-11539, in Pulse Secure's Pulse Connect Secure and Pulse Policy Secure products, and CVE-2019-1579, which affects Palo Alto GlobalProtect VPN -- and two issues that could allow malicious downloads.
In addition, CVE-2019-11510 allows remote arbitrary file downloads in the same Pulse Secure products, and CVE-2018-13379 allows unauthenticated users to download system files in Fortinet's FortiGate VPN via specially crafted HTTP resource requests.
The NSA noted in its advisory that malicious actors are using exploit code for the Pulse Secure flaws that are "freely available online via the Metasploit Framework, as well as GitHub."
In addition to those vulnerabilities, the NCSC highlighted two other flaws in Fortigate: CVE-2018-13382, which allows an unauthenticated user to change the password of a VPN web portal user, and CVE-2018-13383, which is a heap buffer overflow vulnerability that can allow remote code execution. The NCSC did not explicitly say whether these flaws are under attack in the wild.
All of the VPN vulnerabilities in the two advisories were previously disclosed and patched by their respective vendors. The NSA warned that if threat actors have exploited the vulnerabilities to collect user credentials or create new ones, those credentials would still be valid even after patching and updating the VPNs.
The NSA recommended updating all user, administrator and service account credentials; revoking old VPN server keys and certificates and generating replacements; and reviewing all accounts to ensure no new, fraudulent accounts have been created.
The NSA advisory also recommended several hardening techniques, including using multifactor authentication for VPN accounts, enabling logging for VPN user activity and requiring public-facing VPNs to use strong TLS for network traffic encryption and certificate-based authentication.