Unpatched VPN Flaws Can Help Hackers Attack Enterprises, Warn NSA and NCSC

Investigations by NSA (National Security Agency) and NCSC (National Cyber Security Centre) revealed that particular VPN (Virtual Private Network) services might be under attack from cybercriminal groups known as APT (Advanced Persistent Threat). However, it is possible that different hacker teams could be interested in attacking vulnerable VPNs too. As a result, many international companies that use such services could be in danger, which is why cybersecurity specialists recommend taking immediate action. In this blog post, we discuss which applications are targeted and what makes VPN vulnerable. Also, if you continue reading, you can find out what you should do if your company is using one of the vulnerable VPN services. If you have any questions about the discussed VPN flaws, we can offer our comments section that can be found at the end of this page.

What makes VPN vulnerable, and which services could be under attack?

Pulse Secure, Fortinet, and Palo Alto are the companies that provide VPN services, which are targeted by APT hackers. Also, it was noticed that cybercriminals are after companies working in the following sectors: government, military, education, business, and healthcare. It is likely that their goal is to gain access to organizations’ systems, for example, to obtain sensitive information or drop malicious software.

According to NCSC, hackers are aware of particular VPN flaws that the listed tools have. The VPN tool provided by Pulse Secure has two weaknesses called CVE02019-11510 and CVE-2019-11539, which may allow remote attackers to read arbitrary files or execute commands via the admin interface. The Fortinet’s VPN product has three flaws called CVE-2018-13379, CVE-2018-13382, and CVE-2018-13383. As you can see, the listed flaws are not new as they were discovered back in 2018. Still, there could be users who may not have patched them yet.

Another thing you should know about Fortinet’s VPN flaws is that they may allow attackers to read arbitrary files, change passwords of SSL VPN web portal users, and get shell running on a router. As for those who use the Palo Alto services, they might be pleased to learn that this VPN has only one flaw that the ATP hackers might be able to exploit. It is called CVE-2019-1579, and it may allow attackers to execute arbitrary code. Exploiting arbitrary code execution might enable attackers to gain the same privileges that a user of a targeted application or a system might have. For example, if hackers exploit such a flaw in VPN software, they might be able to change its settings, view logs, or do anything else that a user could do.

How to get rid of VPN flaws?

VPN flaws can be resolved the same way as any other software weaknesses. Usually, once a vulnerability becomes known to a company responsible for it, an organization searches for a way to fix it. After a solution is found, a patch or an update appears that a product’s users can download. While some tools inform users about weaknesses and patches that can be applied, sometimes users have to find out about them on their own, for example, while visiting a company’s website.

All the six VPN flaws found in the Pulse Secure, Fortinet, and Palo Alto products were patched some time ago. Whether you have been notified about necessary patches, but chose to skip installing them, or you have not heard about these patches yet, we highly recommend applying them as soon as possible. Of course, in the future, you should always install updates right away if you want your devices and systems to be safe.

How to determine if your VPN flaws might have been exploited?

If your VPN application has not been patched for quite some time, cybersecurity specialists recommend taking extra precautions. Meaning you should not only apply patches that would fix your VPN flaws but also investigate activities related to your VPN to search for proof of a breach. Below you can see NCSC tips on how to find evidence of compromised VPNs.

Pulse Connect

Organizations that use this company’s VPN services are advised to search for connections to suspicious URLs. To do so, specialists recommend making an HTTPS request to the Web interface directly and not through the VPN. If such activities appear in event logs, it is advisable to check search logs for URL addresses containing question marks and ending with /dana/html5acc/guacamole. Also, specialists recommend searching for requests to /dana-admin/diag/diag.cgi. If such data is found and it dates before patches for the CVE02019-11510 and CVE-2019-11539 weaknesses were installed, it is possible a system could be compromised.


It appears that hackers who might be exploiting the CVE-2018-13379 weakness could download a file called sslvpn_websession. Cybersecurity experts say it ought to contain passwords and usernames of all active users, and the file’s size should be about 200 KB. Another way to check if hackers might have exploited a company’s VPN flaws is to investigate firewall logs or Netflow logs if a program was configured to record them. To be more precise, specialists advise looking for TCP sessions with 200.00-250.000 bytes from the SSL VPN web interface port to the client, which could provide evidence of exploitation.

Palo Alto

Organizations that might have used unpatched VPN tools from this company are advised to look for crashes in the software logs. Apparently, failed attempts to exploit this VPN could be visible in its logs, and it is the only thing that might help determine whether a system could be compromised.

What to do if you find out your VPN flaws were exploited?

Cybersecurity specialists advise revoking login credentials at risk and resetting authentication credentials. Next, victims are advised to check the breached application's configuration options and search for unauthorized changes that, if found, ought to be restored. As an extra precaution, companies could enable Two-Factor Authentication and disable any ports or functions on their VPNs that they do not use or need. Of course, it would also be smart to continue monitoring network traffic and the VNP logs for suspicious activities to prevent further attacks. As a last resort, cybersecurity experts suggest wiping compromised devices if a company suspects a breach, but cannot find evidence of hacking and do not want to take any chances.

Overall, using a VPN can still help enterprises protect their systems from cybercriminals. However, it is essential to make sure that there are no VPN flaws, as it is what makes VPN vulnerable. Therefore, cybersecurity experts recommend checking for new patches and updates regularly. The sooner they are installed, the lesser are the chances that hackers will be able to exploit unpatched weaknesses. Probably the easiest way to make sure the VPN services that your company uses are always up to date is to employ an IT team that would ensure that your VPN, as well as other software, were patched and updated in time. To learn more about the flaws of enterprise VPNs, we recommend reading here.

December 11, 2019

Leave a Reply