10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.973 High
EPSS
Percentile
99.8%
Hi, we(Orange Tsai and Meh Chang) are the security research team from DEVCORE. Recently, we are doing a research about SSL VPN security, and found several critical vulnerabilities on Pulse Secure SSL VPN! We have reported to vendor and patches have been released on 2019/4/25
. Since that, we keep monitoring numerous large corporations using Pulse Secure and we noticed that Twitter havenβt patched the SSL VPN server over one month!
These vulnerabilities include a pre-auth file reading(CVSS 10) and a post-auth(admin) command injection(CVSS 8.0) which can be chained into a pre-auth RCE! Here are all vulnerabilities we found:
First, we download following files with CVE-2019-11510:
/etc/passwd
/etc/hosts
/data/runtime/mtmp/system
/data/runtime/mtmp/lmdb/dataa/data.mdb
/data/runtime/mtmp/lmdb/dataa/lock.mdb
/data/runtime/mtmp/lmdb/randomVal/data.mdb
/data/runtime/mtmp/lmdb/randomVal/lock.mdb
ββββββββββ
The VPN user and hashed passwords are stored in the file mtmp/system
. However, Pulse Secure caches the plain-text password in the dataa/data.mdb
once the user log-in. Here, we just grep part of username/plain-text-password for proofs and further actions.
P.S. we mask the password field for security concerns, and we can send to you if you provide your PGP key.
βββββββββ / ββββ
βββββββββ / ββββββ
βββββ / βββββββββ
ββββββββββ / βββββββββ
βββ / ββββββ
Once we log into the SSL VPN, we found the server has enabled the Two-Factor Authentication. Here, we listed two methods to bypass the 2FA:
ββββ
We observed Twitter using the 2FA solution from Duo.com. With the file mtmp/system
, we could obtain the integration key, secret key, and API hostname, which should be protected carefully according to the Duo documentation:
> Treat your secret key like a password
The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Donβt share it with unauthorized individuals or email it to anyone under any circumstances!
# secret-key = ββββββββββ
ββββ
dc=βββ,dc=duosecurity,dc=com
cn=<USER>
# LDAP password = ββββββββββ
ββββββββββ
βββββ
βββββββ
uid=<username>
The Pulse Secure stores the user session in the randomVal/data.mdb
. Without Roaming Session
option enabled, we can reuse the session and log into your SSL VPN!
ββββββββββ
The next, in order to trigger the command injection(CVE-2019-11542). We leverage the web proxy function to access the admin interface with following URL:
https://0/admin/
ββββββββ
We are now trying to crack the admin hash by GPU. It seems takes a long time, but once we cracked, we can achieve RCE absolutely. Actually, we can simply wait for the admin login and obtain the plain-text password directly!
βββββββ
βββββββ
Anyway, we decided to report to you first, because itβs lethal and critical. If you want, we can provide the RCE PoC in admin interface in order to proof the potential risk!
βββββββ
for proof) ββββββββββWe attached screenshots to proof our actions. For security concern, we didnβt attach the mtmp/system
and the dataa/data.mdb
. If you want, we can send to you with your PGP key encrypted!
The only and simplest way to solve this problem is to upgrade your SSL VPN to the latest version!
ββββββββ
for proof) ββββ10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.973 High
EPSS
Percentile
99.8%