Critical vulnerabilities in enterprise virtual private network (VPN) solutions from Palo Alto Networks, Fortinet and Pulse Secure allow attackers to infiltrate corporate networks, obtain sensitive information, and eavesdrop on communications, researchers warn.
Orange Tsai and Meh Chang of the research team at security consulting firm DEVCORE told SecurityWeek that they set out to find the most serious types of vulnerabilities in these products — namely unauthenticated remote code execution — and they claim to have achieved their goal.
The vulnerabilities were identified in Palo Alto Networks GlobalProtect, Fortinet FortiGate (FortiOS), and Pulse Secure’s Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS). Each of the impacted vendors has released patches and advisories for their customers.
In the Pulse Secure products the researchers said they identified a total of 7 vulnerabilities, including an arbitrary file read issue that can be exploited without authentication, and post-authentication stack buffer overflow, command injection, arbitrary file read/write, session hijacking, and cross-site scripting (XSS) flaws.
Orange Tsai told SecurityWeek that they combined the unauthenticated file read issue (CVE-2019-11510) with a post-authentication command injection bug (CVE-2019-11539) to achieve remote code execution.
In the case of the FortiGate SSL VPN, the researchers discovered arbitrary file read, XSS and heap overflow flaws that can be exploited without authentication, as well as a post-authentication heap overflow, and a weakness that can be exploited to modify any user’s password. They chained an unauthenticated arbitrary file read issue (CVE-2018-13379) with a post-authentication heap overflow (CVE-2018-13382) to achieve remote code execution.
< ..
Support the originator by clicking the read the rest link below.
