Security researchers have discovered a code execution vulnerability in Pulse Secure VPN which could be used by attackers to take control of an organization’s entire network if left unpatched.
While investigating a customer’s deployment of this popular enterprise VPN, researchers at the security firm GoSecure first discovered the flaw which requires an attacker to have administrative rights on the system running Pulse Secure VPN to exploit. However, they were easily able to obtain admin privileges during their testing by tricking an administrator into clicking on a malicious link embedded in an email.
Security researcher at GoSecure, Jean-Frédéric Gauron stressed the seriousness of the code execution vulnerability, tracked as CVE-2020-8218, his team had discovered in a blog post, saying:
“While it does require to be authenticated, the fact that it can be triggered by a simple phishing attack on the right victim should be evidence enough that this vulnerability is not to be ignored.”
As more employees are working from home than ever before due to the pandemic, cybercriminals have begun to target the VPN services they use to securely connect to their company networks while working remotely. In fact, the FBI and CISA recently issued a joint advisory warning organizations and their employees about a new vishing campaign that tries to steal VPN credentials by targeting employees working remotely.
In addition to the code execution vulnerability GoSecure discovered, the security firm has also found three other vulnerabilities in Pulse Secure VPN. Of these though, the code execution vulnerability is the most serious but the team plans to publish blog posts on each of the flaws it found once they have been fixed or 90 days after disclosure.
Failing to patch VPN software can have serious consequences for businesses as shown by last year’s Travelex hack where the operators of the REvil ransomware were able to gain access to the company’s network as a result of one or more critical Pulse Secure vulnerabilities that were left unpatched by administrators.
Organizations using Pulse Secure VPN should update Pulse Connect to version 9.1 R8 to avoid falling victim to any potential attacks that leverage the code execution vulnerability discovered by GoSecure.
- We’ve also highlighted the best VPN software
Via Ars Technica