Critical vulnerabilities in Pulse Secure and Fortinet SSL VPNs in the Wild Internet

An SSL VPN is a type of virtual private network that uses the Secure Sockets Layer protocol — or, more often, its successor, the Transport Layer Security (TLS) protocol — in standard web browsers to provide secure, remote-access VPN capability. SSL VPNs protect corporate assets from Internet exposure, but what if SSL VPNs themselves are vulnerable? Once the SSL VPN server is compromised, attackers can infiltrate your Intranet and even take over all users connecting to the SSL VPN server!

And both main VPN vendor clients was hacked. Pretty interesting chains of vulnerabilities can lead to RCE.

Some of you could be already familiar with such vulnerabilities. It was disclosed on Black Hat conference in Las Vegas from Orange Tsai and his teammate Meh Chang. Here is the full presentation from his research. Also, it was described pretty clear on their blog post. Exploitation part from both vulnerabilities was presented.

Vulnerability in Fortinet product in auth functionality was also discovered from Code White Gmbh at the same time.

Let’s summaries all findings in between both products.
So in Pulse Secure it was discovered(just the most important*):

• CVE-2019–11510 (Pulse_Security_Advisories) — Pre-auth arbitrary file reading
• CVE-2019–11539 (Pulse_Security_Advisories) — Post-auth command injection

In Fortinet's VPN was discovered:

• CVE-2018–13379 (FG-IR-18–384) — Path traversal vulnerability in the FortiOS SSL VPN web portal that could potentially allow an unauthenticated attacker to download files through specially crafted HTTP resource requests.