This post originally available on Intelligent Response Encyclopedia (IRE) but it seems to be useful and be a good example as an experimental hunting use case, so I decide to publish here with new updates from National Cyber Security Centre.

Threat Intelligence

Vulnerabilities

According to Volexity’s article, CVE-2019-11510 was used to attack vulnerable Pulse Secure SSL VPN server in order to arbitrarily access VPN configuration and sensitive files. Exploitation phase involves sending off a crafted request, the following example shows the request with target filename (/etc/passwd/) the attacker intended to read.

<target-host>/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/

With this vulnerability, the attacker can access a VPN session database and credentials either hashed or in plaintext from the device’s cache. As described by National Cyber Security Centre, the threat actors have also used the same kind of vulnerabilities to target other VPN products. The exploits of these vulnerabilities are publicly online and can be identified with the following CVEs:

  • Pulse Connect Secure:
  • Fortinet:
    • CVE-2018-13379: Pre-auth arbitrary file reading
    • CVE-2018-13382: Allows an unauthenticated attacker to change the password of an SSL VPN web portal user.
    • CVE-2018-13383: Post-auth heap overflow. This allows an attacker to gain a shell running on the router.
  • Palo Alto:

Malware

No malware is identified in this operation.

Tactics, Techniques, and Procedures

CVE-2019-11510

The attack will conduct the following activities on their operation:

  1. Validating the existence of the vulnerability by trying to access /etc/passwd and /etc/hosts with the exploit
  2. If the device is vulnerable, the attacker might try to access data on the following location:
    1. Users session database on /data/runtime/mtmp/lmdb/randomVal/data.mdb
    2. Cached credentials on /data/runtime/mtmp/lmdb/data/data.mdb
    3. Hashed users credentials on /data/runtime/mtmp/system
  3. With the obtained credentials, the attacker can reuse the credentials to create a VPN tunnel and access the internal network

2-factor authentication will not prevent the hijacking of a valid authentication session.

Indicators of Compromise

See mroe on Network Indicators

Hypothesis Proposal

Pulse Secure SSL VPN: CVE-2019-11510 and CVE-2019-11539

To efficiently gain the visibility required for this attack scenario, we need to enable a feature on Pulse Secure VPN to record unauthenticated web requests for hunting which isn’t turn on by default. This can be done via System -> Log/Monitoring -> User Access -> Settings and select Unauthenticated Requests.

When the unauthenticated web requests logging feature is enabled, we can identify the attack by focusing on request to the vulnerable path with an existing of a file name, for example, an attempt to access /data/runtime/mtmp/lmdb/randomVal/data.mdb will look like this

info – [x.x.x.x] – System()[][] – 2019/08/14 09:15:26 – VPN-Remote – Connection from IP x.x.x.x not authenticated yet (URL=/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/randomVal/data.mdb?/dana/html5acc/guacamole/)

If this request is identified, we can assume that the attacker already accessed an unknown amount of credentials and then can identify potential behavior that may relate to session hijacking by examining Pulse Secure VPN logs for suspicious changes of IP addresses.

2019-08-14 09:35:32 – PulseSecure – [1.2.3.4] DOMAIN\username – Remote address for user DOMAIN\username changed from 1.2.3.4 to 5.6.7.8.
2019-08-14 09:38:56 – PulseSecure – [1.2.3.4] DOMAIN\username – Remote address for user DOMAIN\username changed from 5.6.7.8 to ...

For CVE-2019-11539, we can identify an attempt to exploit the vulnerability by searching for requests to /dana-admin/diag/diag.cgi with an options= parameter in the URL.

Fortinet: CVE-2018-13379, CVE-2018-13382, and CVE-2018-13383

To identify an attack, we need to make sure that the device is configured to log web requests. By the way, either firewall logs or netflow logs is also possible to identify the attack.

According to National Cyber Security Centre, When exploiting CVE-2018-13379, an attacker may download sslvpn_websession, which contains the usernames and passwords of active users. This file is typically at least 200 KB. Searching firewall, or netflow logs, for TCP sessions with 200,000-250,000 bytes from the SSL VPN device’s web interface port to the client, and a small number of bytes (less than 2,000) from the client, may return evidence of exploitation.

Additional Information