Jan 13, 2020
U.S. Government Issues Powerful Security Alert: Upgrade VPN Or Expect Cyber-Attacks
Posted by Quinn Sena in categories: cybercrime/malcode, government, policy
The United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert that strongly urges users and administrators alike to update a VPN with long-since disclosed critical vulnerabilities. “Affected organizations that have not applied the software patch to fix a remote code execution (RCE) vulnerability,” the CISA alert warns, “can become compromised in an attack.” What has dictated the need for this level of Government agency interest and the urgency of the language used? The simple answer is the ongoing Travelex foreign currency exchange cyber-attack, thought to have been facilitated by no less than seven VPN servers that were late in being patched against this critical vulnerability. The vulnerability in question is CVE-2019–11510, first disclosed way back in April 2019 when Pulse Secure VPN also released a patch to fix it.
Critical VPN security vulnerability timeline
The CISA alert provides a telling timeline that outlines how the Pulse Secure VPN critical vulnerability, CVE-2019–11510, became such a hot security potato. Pulse Secure first released an advisory regarding the vulnerabilities in the VPN on April 24, 2019. “Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS),” that advisory warned, “this includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform a remote arbitrary file access on the Pulse Connect Secure gateway.” An upgrade patch to fix the problem, which had been rated as critical, was made available at the same time. Warning users that the vulnerabilities posed a “significant risk to your deployment,” Pulse Secure recommended patching as soon as possible.