1:10pm, 18 October 2019
TLP Rating:
Virtual private network (VPN) vulnerabilities being exploited
Vulnerabilities are being exploited in several widely used virtual private network (VPN) products manufactured by Pulse Secure, Fortinet and Palo Alto.
The vulnerabilities appear to allow an attacker to retrieve arbitrary files, including those containing authentication credentials. An attacker can use these stolen credentials to connect to the VPN and change configuration settings, or connect to further internal infrastructure.
What's happening
Systems affected
The affected VPN products are:
- Pulse Connect Secure
- Fortigate
- Palo Alto
- Palo Alto GlobalProtect SSL VPN 7.1.x < 7.1.19
- Palo Alto GlobalProtect SSL VPN 8.0.x < 8.0.12
- Palo Alto GlobalProtect SSL VPN 8.1.x < 8.1.3
Exploits for the vulnerabilities are publicly available online.
What this means
The vulnerabilities allow potential attackers to retrieve arbitrary files which may also contain authentication credentials. With these credentials, unauthorised parties may be able to connect to the VPN, and in doing so change configuration settings, or connect to the wider network.
What to look for
How to tell if you're at risk
If you’re running unpatched versions of software from these vendors, you are at risk and need to patch immediately.
What to do
Prevention
Patches are available for each vulnerability. CERT NZ strongly recommends all users of these products patch immediately to avoid compromise.
Patches are available for:
NCSC UK also recommends you change your authentication credentials associated with affected VPNs and accounts connecting through them.
More information
NCSC UK advisory on the vulnerabilities External Link
Critical control: Patching External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
Report an incident to CERT NZ External Link
For media enquiries, email our media desk at media@mbie.govt.nz or call the MBIE media team on 027 442 2141.