A recent Remote Code Execution (RCE) vulnerability has many VPN users and administrators scrambling to patch their systems. Are you affected? Learn more.
The Department of Homeland Security Cybersecurity and Infrastructure Security (CISA) recently released an alert regarding VPN servers that were exploited through vulnerabilities in the remote code execution (RCE). The vulnerability in question is CVE-2019-11510. The CISA report states:
“Unpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix a remote code execution (RCE) vulnerability, known as CVE-2019-11510, can become compromised in an attack.”
Pulse Secure VPN released the initial advisory and software update in April 2019. Many users and administrators have updated their systems. However, the alert from CISA states that not enough have taken the initiative to secure the vulnerability. CISA “strongly urge users and administrators to upgrade to the corresponding fixes.”
What is a Remote Code Execution?
A Remote Code Execution (RCE), sometimes referred to as a Remote Code Evaluation, is a vulnerability that is exploited when user input is injected into a file and executed by the code’s parser. This activity is not intended by the web application developer and may lead to a full compromise of the application as well as the webserver. RCE can affect almost every programming language, which makes it a serious threat.
Typically, once an attacker has the ability to execute an RCE, they also have access and privileges on the webserver. This creates an additional threat since the hacker can also write, delete, and read files, connect to databases, and issue system commands.
How do you know if you are at risk?
The CVE-2019-11510 vulnerability affects Pulse Secure VPN users. Pulse Secure first released an advisory in April 2019. It states “Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS).”
Since that time, a patch has been available on the Pulse Secure knowledgebase. If your systems use Pulse Secure VPN services, you should take action immediately. CISA advises that you update your systems as soon as possible to avoid infiltration.
The only way to repair the CVE-2019-11510 vulnerability is to apply the patches provided by the vendor. In this case, the vendor is Pulse Secure VPN. You will also need to subsequently perform the required system updates.
How to prevent RCE in the futures
As the administrator of your server, you can follow the steps below to avoid vulnerabilities in the future:
- Avoid using user input inside evaluated code, or avoid using eval functions completely
- Always keep systems updated
- Follow the CISA website, the THG Hosting blog, and other cybersecurity websites to receive notification regarding impending threats
- Carefully manage system users at all times and never allow users more privileges than are absolutely necessary