ID CVE-2019-11540 Type cve Reporter cve@mitre.org Modified 2020-08-24T17:37:00
Description
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4 and 8.3RX before 8.3R7.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2 and 5.4RX before 5.4R7.1, an unauthenticated, remote attacker can conduct a session hijacking attack.
{"hackerone": [{"lastseen": "2019-12-02T21:26:28", "bulletinFamily": "bugbounty", "bounty": 0.0, "cvelist": ["CVE-2019-11508", "CVE-2019-11510", "CVE-2019-11538", "CVE-2019-11539", "CVE-2019-11540", "CVE-2019-11542"], "description": "##Description\nHello. Some time ago, researcher Orange Tsai from DEVCORE team had a talk on Defcon/BlackHat regarding Pulse Secure SSL VPN vulnerabilities fixed on 2019/4/25:\n**CVE-2019-11510 - Pre-auth Arbitrary File Reading**\nCVE-2019-11542 - Post-auth Stack Buffer Overflow\n**CVE-2019-11539 - Post-auth Command Injection**\nCVE-2019-11538 - Post-auth Arbitrary File Reading\n**CVE-2019-11508 - Post-auth Arbitrary File Writing**\nCVE-2019-11540 - Post-auth Session Hijacking\n\nLink to the slides: https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf\n\nI discovered that https://\u2588\u2588\u2588\u2588 instance is vulnerable to described vulnerabilities.\n\n##POC\nExtracting `/etc/passwd` as example:\n```\ncurl -i -k --path-as-is https://\u2588\u2588\u2588\u2588\u2588\u2588/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/\n```\n{F561180}\n\nThe RCE can be achieved with this chain:\n1) Pulse Secure stores credentials in the cleartext.\n2) Attacker reads credentials via CVE-2019-11510 (it stored in the `/data/runtime/mtmp/lmdb/dataa/data.mdb`) and authorizes on VPN\n3) Attacker exploits CVE-2019-11539 - Post-auth Command Injection achieving RCE as root.\n\n##Suggested fix\nUpdate the Pulse Secure SSL VPN software (also implementing certificate validation can harden access a bit if some similar CVEs will be discovered in future).\n\n## Impact\n\nRemote code execution as root (by reading plaintext credentials and then exploiting CVE-2019-11539 - Post-auth Command Injection) and accessing intranet behind VPN.", "modified": "2019-12-02T19:59:54", "published": "2019-08-21T13:03:00", "id": "H1:678496", "href": "https://hackerone.com/reports/678496", "type": "hackerone", "title": "U.S. Dept Of Defense: Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://\u2588\u2588\u2588", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-10T15:53:38", "bulletinFamily": "bugbounty", "bounty": 20160.0, "cvelist": ["CVE-2019-11508", "CVE-2019-11510", "CVE-2019-11538", "CVE-2019-11539", "CVE-2019-11540", "CVE-2019-11542"], "description": "Hi, we(Orange Tsai and Meh Chang) are the security research team from DEVCORE. Recently, we are doing a research about SSL VPN security, and found several critical vulnerabilities on Pulse Secure SSL VPN! We have reported to vendor and [patches](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101) have been released on `2019/4/25`. Since that, we keep monitoring numerous large corporations using Pulse Secure and we noticed that Twitter haven't patched the SSL VPN server over one month!\n\nThese vulnerabilities include a pre-auth file reading(CVSS 10) and a post-auth(admin) command injection(CVSS 8.0) which can be chained into a pre-auth RCE! Here are all vulnerabilities we found:\n\n* CVE-2019-11510 - Pre-auth Arbitrary File Reading\n* CVE-2019-11542 - Post-auth Stack Buffer Overflow\n* CVE-2019-11539 - Post-auth Command Injection\n* CVE-2019-11538 - Post-auth Arbitrary File Reading\n* CVE-2019-11508 - Post-auth Arbitrary File Writing\n* CVE-2019-11540 - Post-auth Session Hijacking\n\n\n## Our Steps\n\nFirst, we download following files with CVE-2019-11510:\n1. `/etc/passwd`\n2. `/etc/hosts`\n3. `/data/runtime/mtmp/system`\n4. `/data/runtime/mtmp/lmdb/dataa/data.mdb`\n5. `/data/runtime/mtmp/lmdb/dataa/lock.mdb`\n6. `/data/runtime/mtmp/lmdb/randomVal/data.mdb`\n7. `/data/runtime/mtmp/lmdb/randomVal/lock.mdb`\n\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n\nThe VPN user and hashed passwords are stored in the file `mtmp/system`. However, Pulse Secure caches the plain-text password in the `dataa/data.mdb` once the user log-in. Here, we just grep part of username/plain-text-password for proofs and further actions.\n\n*P.S. we mask the password field for security concerns, and we can send to you if you provide your PGP key.*\n\n```\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 / \u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 / \u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588 / \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 / \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588 / \u2588\u2588\u2588\u2588\u2588\u2588\n```\n\nOnce we log into the SSL VPN, we found the server has enabled the Two-Factor Authentication. Here, we listed two methods to bypass the 2FA:\n\n\u2588\u2588\u2588\u2588\n\n1. We observed Twitter using the 2FA solution from Duo.com. With the file `mtmp/system`, we could obtain the integration key, secret key, and API hostname, which should be protected carefully according to the [Duo documentation](https://duo.com/docs/pulseconnect):\n\n > Treat your secret key like a password\n The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!\n\n ```\n # secret-key = \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n \u2588\u2588\u2588\u2588\n dc=\u2588\u2588\u2588,dc=duosecurity,dc=com\n cn=<USER>\n\n # LDAP password = \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n \u2588\u2588\u2588\u2588\u2588\n \u2588\u2588\u2588\u2588\u2588\u2588\u2588\n uid=<username>\n ```\n\n2. The Pulse Secure stores the user session in the `randomVal/data.mdb`. Without `Roaming Session` option enabled, we can reuse the session and log into your SSL VPN!\n\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n\n\nThe next, in order to trigger the command injection(CVE-2019-11542). We leverage the web proxy function to access the admin interface with following URL:\n\n```\nhttps://0/admin/\n```\n\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\nWe are now trying to crack the admin hash by GPU. It seems takes a long time, but once we cracked, we can achieve RCE absolutely. Actually, we can simply wait for the admin login and obtain the plain-text password directly!\n```\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n```\n\nAnyway, we decided to report to you first, because it's lethal and critical. If you want, we can provide the RCE PoC in admin interface in order to proof the potential risk!\n\n\n## Impact:\n\n1. Access Intranet(we have accessed the `\u2588\u2588\u2588\u2588\u2588\u2588\u2588` for proof) \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n2. Plenty of staff plain-text passwords\n3. Internal server and passwords(such as the LDAP)\n4. Attack back all VPN clients(we will detail the step in [Black Hat USA 2019](https://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa---pre-auth-rce-on-leading-ssl-vpns-15545))\n5. Private keys\n6. Sensitive cookies in Web VPN(such as okta, salesforce, box.com and google)\n\n## Supporting Material/References:\n\nWe attached screenshots to proof our actions. For security concern, we didn't attach the `mtmp/system` and the `dataa/data.mdb`. If you want, we can send to you with your PGP key encrypted!\n\n## Recommend Solution\n\nThe only and simplest way to solve this problem is to upgrade your SSL VPN to the [latest version](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101)!\n\n## Impact\n\n1. Access Intranet(we have accessed the `\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588` for proof) \u2588\u2588\u2588\u2588\n2. Plenty of staff plain-text passwords\n3. Internal server and passwords(such as the LDAP)\n4. Attack back all VPN clients(we will detail the step in [Black Hat USA 2019](https://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa---pre-auth-rce-on-leading-ssl-vpns-15545))\n5. Private keys\n6. Sensitive cookies in Web VPN(such as okta, salesforce, box.com and google)", "modified": "2019-08-10T15:06:45", "published": "2019-05-28T07:53:44", "id": "H1:591295", "href": "https://hackerone.com/reports/591295", "type": "hackerone", "title": "Twitter: Potential pre-auth RCE on Twitter VPN", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "myhack58": [{"lastseen": "2019-08-27T08:41:40", "bulletinFamily": "info", "cvelist": ["CVE-2019-11538", "CVE-2019-11508", "CVE-2019-11542", "CVE-2019-11540", "CVE-2019-11510", "CVE-2019-11539"], "description": "360CERT detected related to security researcher published the Pulse Secure SSL VPN multiple vulnerabilities. Attacks that can exploit the vulnerability to read arbitrary files, including plaintext passwords, account information and Session information, as well as into the background after the implementation of system commands. \n\n0x01 vulnerability details \nVulnerability ID: \nCVE-2019-11510 \u2013 unauthorized arbitrary file read vulnerability \nCVE-2019-11542 \u2013 after the authorization stack buffer overflow vulnerability \nCVE-2019-11539 \u2013 after the grant command injection vulnerability \nCVE-2019-11538 \u2013 authorized to arbitrarily file read vulnerability \nCVE-2019-11508 \u2013 authorized to arbitrarily file write vulnerability \nCVE-2019-11540 \u2013 after the authorization session hijacking vulnerability \nVulnerability impact: \nCVE-2019-11510: in the case of authorization can read the system any files \nthe /etc/passwd \nthe /etc/hosts \n/data/runtime/mtmp/system \n/data/runtime/mtmp/lmdb/dataa/data. mdb \n/data/runtime/mtmp/lmdb/dataa/lock. mdb \n/data/runtime/mtmp/lmdb/randomVal/data. mdb \n/data/runtime/mtmp/lmdb/randomVal/lock. mdb \nVpn user and password hash is stored mtmp/system, dataa/data. the mdb stores the user login after the cache of the plaintext password, randomVal/data. the mdb stores user Session. An attacker could exploit this vulnerability to obtain account and password login background. \nCVE-2019-11539: background a command injection vulnerability, in the use of on the step into the background after can be combined with this hole to perform system commands. \n! [](/Article/UploadPic/2019-8/201982711131470. png) \n(Note: the picture cut to the Orange Tsai BlackHat PPT) note: some exploit script has been in the online public, does not exclude that there are already hackers began exploiting the vulnerability to attack. \n\n0x02 impact version \nVulnerability number \nImpact version \nCVE-2019-11510 \nPulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX \nCVE-2019-11542 \nPulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX 8.1 RX and Pulse Policy Secure: 9.0 RX 5.4 RX 5.3 RX 5.2 RX 5.1 RX \nCVE-2019-11539 \nPulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX 8.1 RX and Pulse Policy Secure: 9.0 RX 5.4 RX 5.3 RX 5.2 RX 5.1 RX \nCVE-2019-11538 \nPulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX 8.1 RX \nCVE-2019-11508 \nPulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX 8.1 RX \nCVE-2019-11540 \nPulse Connect Secure: 9.0 RX 8.3 RX and Pulse Policy Secure: 9.0 RX 5.4 RX \n\n0x03 repair recommendations \nAuthorities have released the fix version: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/ \n\n0x04 timeline \n2019-08-10 section vulnerability details disclosed \n2019-08-21 part of the exploit script open \n2019-08-26 360CERT warning \n\n0x05 reference links \nhttps://hackerone.com/reports/591295 \nhttps://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa-pre-auth-rce-on-leading-ssl-vpns-15545 \n\n", "edition": 1, "modified": "2019-08-27T00:00:00", "published": "2019-08-27T00:00:00", "id": "MYHACK58:62201995674", "href": "http://www.myhack58.com/Article/html/3/62/2019/95674.htm", "title": "Pulse Secure SSL VPN vulnerability alerts-a vulnerability alert-the black bar safety net", "type": "myhack58", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-09-29T01:07:55", "description": "According to its self-reported version, the version of Pulse Policy\nSecure running on the remote host is affected by multiple\nvulnerabilities.\n\n - A session hijacking vulnerability exists in PPS. An\n unauthenticated, remote attacker can exploit this, to perform\n actions in the user or administrator interface with the\n privileges of another user. (CVE-2019-11540)\n\n - Multiple vulnerabilities found in the admin web interface of PPS\n (CVE-2019-11543, CVE-2019-11542, CVE-2019-11539, CVE-2019-11509)\n\n - Multiple vulnerabilities found in Network File Share (NFS) of PPS\n , allows the attacker to read/write arbitrary files on the\n affected device. (CVE-2019-11538, CVE-2019-11508)\n\nRefer to the vendor advisory for additional information.", "edition": 14, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-05-10T00:00:00", "title": "Pulse Policy Secure Multiple Vulnerabilities (SA44101)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-11538", "CVE-2019-11509", "CVE-2019-11508", "CVE-2019-11542", "CVE-2019-11540", "CVE-2019-11543", "CVE-2019-11539"], "modified": "2019-05-10T00:00:00", "cpe": ["cpe:/a:pulse_secure:pulse_policy_secure"], "id": "PULSE_POLICY_SECURE-SA-44101.NASL", "href": "https://www.tenable.com/plugins/nessus/124767", "sourceData": "#\n# (c) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124767);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/28\");\n\n script_cve_id(\n \"CVE-2019-11509\",\n \"CVE-2019-11539\",\n \"CVE-2019-11540\",\n \"CVE-2019-11542\",\n \"CVE-2019-11543\"\n );\n script_bugtraq_id(108073);\n script_xref(name:\"IAVA\", value:\"2019-A-0309-S\");\n script_xref(name:\"IAVA\", value:\"0001-A-0001-S\");\n\n script_name(english:\"Pulse Policy Secure Multiple Vulnerabilities (SA44101)\");\n script_summary(english:\"Checks PPS version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the version of Pulse Policy\nSecure running on the remote host is affected by multiple\nvulnerabilities.\n\n - A session hijacking vulnerability exists in PPS. An\n unauthenticated, remote attacker can exploit this, to perform\n actions in the user or administrator interface with the\n privileges of another user. (CVE-2019-11540)\n\n - Multiple vulnerabilities found in the admin web interface of PPS\n (CVE-2019-11543, CVE-2019-11542, CVE-2019-11539, CVE-2019-11509)\n\n - Multiple vulnerabilities found in Network File Share (NFS) of PPS\n , allows the attacker to read/write arbitrary files on the\n affected device. (CVE-2019-11538, CVE-2019-11508)\n\nRefer to the vendor advisory for additional information.\");\n # https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d23f9165\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the appropriate version referenced in the advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11540\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Pulse Secure VPN Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pulse_secure:pulse_policy_secure\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"pulse_policy_secure_detect.nbin\");\n script_require_keys(\"installed_sw/Pulse Policy Secure\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_info = vcf::get_app_info(app:'Pulse Policy Secure', port:443);\n\nconstraints = [\n {'min_version' : '5.1R1' , 'fixed_version' : '5.1R15.1'},\n {'min_version' : '5.2R1' , 'fixed_version' : '5.2R12.1'},\n {'min_version' : '5.3R1' , 'fixed_version' : '5.3R12.1'},\n {'min_version' : '5.4R1' , 'fixed_version' : '5.4R7.1.'},\n {'min_version' : '9.0R1' , 'fixed_version' : '9.0R3.2', 'display_version' : '9.0R3.2 / 9.0R4' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-24T13:30:54", "description": "According to its self-reported version, the version of Pulse Connect\nSecure running on the remote host is affected by multiple\nvulnerabilities.\n\n - An arbitrary file read vulnerability exists in PCS. An\n unauthenticated, remote attacker can exploit this, via specially\n crafted URI, to read arbitrary files and disclose sensitive\n information. (CVE-2019-11510)\n\n - Multiple vulnerabilities are found in Ghostscript.(CVE-2018-16513\n , CVE-2018-18284, CVE-2018-15911, CVE-2018-15910, CVE-2018-15909)\n\n - A session hijacking vulnerability exists in PCS. An\n unauthenticated, remote attacker can exploit this, to perform\n actions in the user or administrator interface with the\n privileges of another user. (CVE-2019-11540)\n\n - An authentication leaks seen in users using SAML authentication\n with the reuse existing NC (Pulse) session option.\n (CVE-2019-11541)\n\n - Multiple vulnerabilities found in the admin web interface of PCS.\n (CVE-2019-11543, CVE-2019-11542, CVE-2019-11509, CVE-2019-11539)\n\n - Multiple vulnerabilities found in Network File Share (NFS) of PCS\n , allows the attacker to read/write arbitrary files on the\n affected device. (CVE-2019-11538, CVE-2019-11508)\n\n - A cross-site scripting (XSS) vulnerability exists in application\n launcher page due to improper validation of user-supplied input\n before returning it to users. An attacker can exploit this, by\n convincing a user to click a specially crafted URL, to execute\n arbitrary script code in a user's browser session.\n (CVE-2019-11507)\n\nRefer to the vendor advisory for additional information.", "edition": 16, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-05-10T00:00:00", "title": "Pulse Connect Secure Multiple Vulnerabilities (SA44101)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15910", "CVE-2019-11507", "CVE-2019-11538", "CVE-2019-11509", "CVE-2019-11508", "CVE-2018-18284", "CVE-2018-15911", "CVE-2019-11542", "CVE-2019-11540", "CVE-2019-11543", "CVE-2019-11510", "CVE-2019-11541", "CVE-2018-15909", "CVE-2018-16513", "CVE-2019-11539"], "modified": "2019-05-10T00:00:00", "cpe": ["cpe:/a:pulse_secure:pulse_connect_secure"], "id": "PULSE_CONNECT_SECURE-SA-44101.NASL", "href": "https://www.tenable.com/plugins/nessus/124766", "sourceData": "#\n# (c) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124766);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/23\");\n\n script_cve_id(\n \"CVE-2018-15909\",\n \"CVE-2018-15910\",\n \"CVE-2018-15911\",\n \"CVE-2018-16513\",\n \"CVE-2018-18284\",\n \"CVE-2019-11507\",\n \"CVE-2019-11508\",\n \"CVE-2019-11509\",\n \"CVE-2019-11510\",\n \"CVE-2019-11538\",\n \"CVE-2019-11539\",\n \"CVE-2019-11540\",\n \"CVE-2019-11541\",\n \"CVE-2019-11542\",\n \"CVE-2019-11543\"\n );\n script_bugtraq_id(105122, 107451, 108073);\n script_xref(name:\"IAVA\", value:\"2019-A-0309-S\");\n script_xref(name:\"IAVA\", value:\"0001-A-0001-S\");\n\n script_name(english:\"Pulse Connect Secure Multiple Vulnerabilities (SA44101)\");\n script_summary(english:\"Checks PCS version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the version of Pulse Connect\nSecure running on the remote host is affected by multiple\nvulnerabilities.\n\n - An arbitrary file read vulnerability exists in PCS. An\n unauthenticated, remote attacker can exploit this, via specially\n crafted URI, to read arbitrary files and disclose sensitive\n information. (CVE-2019-11510)\n\n - Multiple vulnerabilities are found in Ghostscript.(CVE-2018-16513\n , CVE-2018-18284, CVE-2018-15911, CVE-2018-15910, CVE-2018-15909)\n\n - A session hijacking vulnerability exists in PCS. An\n unauthenticated, remote attacker can exploit this, to perform\n actions in the user or administrator interface with the\n privileges of another user. (CVE-2019-11540)\n\n - An authentication leaks seen in users using SAML authentication\n with the reuse existing NC (Pulse) session option.\n (CVE-2019-11541)\n\n - Multiple vulnerabilities found in the admin web interface of PCS.\n (CVE-2019-11543, CVE-2019-11542, CVE-2019-11509, CVE-2019-11539)\n\n - Multiple vulnerabilities found in Network File Share (NFS) of PCS\n , allows the attacker to read/write arbitrary files on the\n affected device. (CVE-2019-11538, CVE-2019-11508)\n\n - A cross-site scripting (XSS) vulnerability exists in application\n launcher page due to improper validation of user-supplied input\n before returning it to users. An attacker can exploit this, by\n convincing a user to click a specially crafted URL, to execute\n arbitrary script code in a user's browser session.\n (CVE-2019-11507)\n\nRefer to the vendor advisory for additional information.\");\n # https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d23f9165\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the appropriate version referenced in the advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11540\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Pulse Connect Secure File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Pulse Secure VPN Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pulse_secure:pulse_connect_secure\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"pulse_connect_secure_detect.nbin\");\n script_require_keys(\"installed_sw/Pulse Connect Secure\");\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nport = get_http_port(default:443, embedded:TRUE);\napp_info = vcf::pulse_connect_secure::get_app_info(app:'Pulse Connect Secure', port:port, full_version:TRUE, webapp:TRUE);\n\nconstraints = [\n {'min_version' : '8.3.1', 'fixed_version':'8.3.7.65025', 'fixed_display' : '8.3R7.1'},\n {'min_version' : '8.2.1', 'fixed_version':'8.2.12.64003', 'fixed_display' : '8.2R12.1'},\n {'min_version' : '8.1.1', 'fixed_version':'8.1.15.59747', 'fixed_display' : '8.1R15.1'},\n {'min_version' : '9.0.1', 'fixed_version':'9.0.3.64053', 'fixed_display' : '9.0R3.4 / 9.0R4'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cert": [{"lastseen": "2020-09-18T20:41:42", "bulletinFamily": "info", "cvelist": ["CVE-2019-11507", "CVE-2019-11508", "CVE-2019-11509", "CVE-2019-11510", "CVE-2019-11538", "CVE-2019-11539", "CVE-2019-11540", "CVE-2019-11541", "CVE-2019-11542", "CVE-2019-11543"], "description": "### Overview \n\nPulse Secure SSL VPN contains multiple vulnerabilities that can allow remote unauthenticated remote attacker to compromise the VPN server and connected clients.\n\n### Description \n\nPulse Secure released an out-of-cycle [advisory](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) along with software patches for the various affected products on April 24, 2019. This addressed a number of vulnerabilities including a Remote Code Execution (RCE) vulnerability with pre-authentication access. This vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates. The [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) has a CVSS score of 10. \n\nThe CVEs listed in the advisory are: \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Unauthenticated remote attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability. \n[CVE-2019-11509](<https://nvd.nist.gov/vuln/detail/CVE-2019-11509>) \\- Authenticated attacker via the admin web interface can exploit this issue to execute arbitrary code on the Pulse Secure appliance. \n[CVE-2019-11508 ](<https://nvd.nist.gov/vuln/detail/CVE-2019-11508>)\\- A vulnerability in the Network File Share (NFS) of Pulse Connect Secure allows an authenticated end-user attacker to upload a malicious file to write arbitrary files to the local system. \n[CVE-2019-11507](<https://nvd.nist.gov/vuln/detail/CVE-2019-11507>) \\- A XSS issue has been found in Pulse Secure Application Launcher page. Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1, and 9.0.x before 9.0R3. \n[CVE-2019-11543](<https://nvd.nist.gov/vuln/detail/CVE-2019-11543>) \\- A XSS issue found the admin web console. Pulse Secure Pulse Connect Secure (PCS) 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, and 5.2RX before 5.2R12.1. \n[CVE-2019-11542](<https://nvd.nist.gov/vuln/detail/CVE-2019-11542>) \\- Authenticated attacker via the admin web interface can send a specially crafted message resulting in a stack buffer overflow. \n[CVE-2019-11541](<https://nvd.nist.gov/vuln/detail/CVE-2019-11541>) \\- Users using SAML authentication with Reuse Existing NC (Pulse) Session option may see authentication leaks \n[CVE-2019-11540](<https://nvd.nist.gov/vuln/detail/CVE-2019-11540>) \\- A vulnerability in the Pulse Secure could allow an unauthenticated, remote attacker to conduct a (end user) session hijacking attack. \n[CVE-2019-11539](<https://nvd.nist.gov/vuln/detail/CVE-2019-11539>) \\- Authenticated attacker via the admin web interface allow attacker to inject and execute command injection \n[CVE-2019-11538](<https://nvd.nist.gov/vuln/detail/CVE-2019-11538>) \\- A vulnerability in the Network File Share (NFS) of Pulse Connect Secure could allow an authenticated end-user attacker to access the contents of arbitrary files on the local file system. \n \nExploitation of these vulnerabilities was demonstrated at various events and proved to be highly impactful due to the direct access to admin privileges and the consequent ability to infect multiple VPN connected users and their desktops. Initially there was a lack of clarity about CVE-2019-11510, as to whether it can be mitigated with the requirement of a client-certificate or two-factor authentication (2FA) to prevent this attack. CERT/CC has confirmed with the vendor that this vulnerability cannot be mitigated using client certificate and furthermore there is no viable alternative to updating the Pulse Secure VPN software to a non-vulnerable version. Even if client certificates are required for user authentication, CVE-2019-11510 can be exploited by an unauthenticated remote attacker to obtain session IDs of active users stored in /data/runtime/mtmp/lmdb/randomVal/data.mdb. The attacker can use these session IDs to impersonate as one of the active users. If a Pulse Secure administrator is currently active and the administrative access is available to the attacker, attacker could gain administrative access to Pulse Secure VPN. It is highly recommended that all Pulse Secure VPN administrators perform the required upgrade on all their affected products. If your Pulse Secure VPN has been identified as End of Engineering (EOE) and End of Life (EOL), we highly recommend replacement of the VPN appliance entirely without any delay - please check Pulse Secure advisory for this information. \n \nTimelines of specific events: \nMarch 22, 2019 \u2013 Security researcher O. Tsai and M. Chang responsibly disclose vulnerability to Pulse Secure \nApril 24, 2019 - Initial advisory posted and software updates posted by Pulse Secure to the Download Center \nApril 25, 2019 \u2013 Assignment of [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), [CVE-2019-11509](<https://nvd.nist.gov/vuln/detail/CVE-2019-11509>), [CVE-2019-11508](<https://nvd.nist.gov/vuln/detail/CVE-2019-11508>), [CVE-2019-11507](<https://nvd.nist.gov/vuln/detail/CVE-2019-11507>), [CVE-2019-11543](<https://nvd.nist.gov/vuln/detail/CVE-2019-11543>), [CVE-2019-11542](<https://nvd.nist.gov/vuln/detail/CVE-2019-11542>), [CVE-2019-11541](<https://nvd.nist.gov/vuln/detail/CVE-2019-11541>), [CVE-2019-11540](<https://nvd.nist.gov/vuln/detail/CVE-2019-11540>), [CVE-2019-11539](<https://nvd.nist.gov/vuln/detail/CVE-2019-11539>), [CVE-2019-11538](<https://nvd.nist.gov/vuln/detail/CVE-2019-11538>) \nApril 26, 2019 - Workaround provided for [CVE-2019-11508](<https://nvd.nist.gov/vuln/detail/CVE-2019-11508>) about disabling file sharing as a mitigation \nMay 28 2019 \u2013 Large commercial vendors get reports of vulnerable VPN through HackerOne \nJuly 31 2019 \u2013 Full RCE use of exploit demonstrated using the admin session hash to get complete shell \nAugust 8 2019 - Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors (Pulse Secure) with detailed attack on active VPN exploitation \nAugust 24, 2019 \u2013 Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of an upgrade \nOctober 7, 2019 \u2013 NSA produces a Cybersecurity Advisory on Pulse Secure and other VPN products being targeted actively by Advanced Persistent Threat actors \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server. \n \n--- \n \n### Solution \n\nThere is **no** viable workaround except to apply the patch and updates provided by the vendor. It is incorrect to assume use of client certificates or two-factor authentication (2FA) can prevent [CVE-2019-11510 ](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)RCE pre-auth vulnerability. Updates are available from [Pulse Secure Advisory](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>). \n \n--- \n \n[CVE-2019-11508 ](<https://nvd.nist.gov/vuln/detail/CVE-2019-11508>)and [CVE-2019-11538](<https://nvd.nist.gov/vuln/detail/CVE-2019-11538>) can be mitigated by disabling File Sharing on the Pulse Secure VPN appliance. \n \nThere are **no **workarounds that address the other vulnerabilities. \n \n--- \n \n### Vendor Information\n\n927237\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Pulse Secure __ Affected\n\nNotified: October 09, 2019 Updated: October 16, 2019 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nMultiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS).\n\n### Vendor Information \n\nVendor has provided a detailed advisory [here](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>). \n\nThere is no workaround to address CVE-2019-11510 vulnerability. Pulse Secure recommends software upgrade as soon as possible.\n\n### Vendor References\n\n * <https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 9.4 | AV:N/AC:L/Au:N/C:C/I:C/A:N \nTemporal | 8.2 | E:H/RL:OF/RC:C \nEnvironmental | 8.2 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>\n * <https://cyber.gc.ca/en/alerts/active-exploitation-vpn-vulnerabilities>\n * <https://github.com/projectzeroindia/CVE-2019-11510>\n * <https://www.exploit-db.com/exploits/47297>\n * <https://www.youtube.com/watch?v=v7JUMb70ON4>\n * <https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/>\n * <https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>\n\n### Acknowledgements\n\nThis vulnerability was reported by Pulse Secure, who in turn credit Orange Tsai and Meh Chang from DEVCORE research team, and Jake Valletta from FireEye\n\nThis document was written by Vijay S Sarvepalli.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2019-11510](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-11510>), [CVE-2019-11509](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-11509>), [CVE-2019-11508](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-11508>), [CVE-2019-11507](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-11507>), [CVE-2019-11543](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-11543>), [CVE-2019-11542](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-11542>), [CVE-2019-11541](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-11541>), [CVE-2019-11540](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-11540>), [CVE-2019-11539](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-11539>), [CVE-2019-11538](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-11538>) \n---|--- \n**Date Public:** | 2019-04-28 \n**Date First Published:** | 2019-10-16 \n**Date Last Updated: ** | 2019-10-23 02:35 UTC \n**Document Revision: ** | 43 \n", "modified": "2019-10-23T02:35:00", "published": "2019-10-16T00:00:00", "id": "VU:927237", "href": "https://www.kb.cert.org/vuls/id/927237", "type": "cert", "title": "Pulse Secure VPN contains multiple vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
