U.S. Dept Of Defense: Command Injection (via CVE-2019-11510 and CVE-2019-11539)

Summary:
The Navy has a Pulse Secure SSL VPN (https://████████/dana-na/auth/url_default/welcome.cgi) that is vulnerable to:
CVE-2019-11510 - Pre-auth Arbitrary File Reading
CVE-2019-11539 - Post-auth Command Injection

vulnerable hostname from ssl certificate: ██████████.navy.mil

The pre-auth arbitrary file reading vulnerability (CVE-2019-11510) enables an un-authenicated user to read the file /data/runtime/mtmp/lmdb/dataa/data.mdb from the Pulse VPN device. This files contains admin and other users credentials in plain-text format. This information can be used to log into the pulse device as an administrator.

Once logged in as an administrator, the post-auth command injection vulnerability (CVE-2019-11539) allows an attacker to execute commands on the device. Commands execution could lead to compromise to other servers on the network or malware implantation.

There was a talk recently at Blackhat USA that goes into great detail of the vulnerabilities and how to exploit them.

Exploit code was recently released to the public for this vulnerability. I would consider this an extremely critical issue, and others will be scanning your network trying to compromise this. The Pulse Secure version can be obtained from your device via a publicly available file here (https://██████████/dana-na/nc/nc_gina_ver.txt), so it is really easy to detect for attackers.

Here are links to Blackhat presentation, Pulse Secure Security Bulletin, exploit code, video of exploit code in action and example report found on twitter’s network.

Blackhat 2019 Presentation
https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf

Pulse Secure Security Bulletin
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101

Publicly available exploit code:
https://raw.githubusercontent.com/projectzeroindia/CVE-2019-11510/master/CVE-2019-11510.sh

Video of how exploit works:
https://www.youtube.com/watch?v=v7JUMb70ON4&feature=youtu.be

Example report found on Twitter’s network
https://hackerone.com/reports/591295

Impact

Critical - I would consider this an extremely critical issue, and others will be scanning your network trying to compromise this.

Step-by-step Reproduction Instructions

1. From macos/linux command line issue the following command;
   curl --path-as-is -s -k “https://███████/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/”

This will display the /etc/passwd file from the pulse secure device. This in itself it enough to confirm the presence of both vulnerabilities.

I’ve attached screenshots of getting the vulnerable Pulse Secure version from the device, and confirming the arbitrary file read vulnerability. I did not attempt to login into your device as administrator. Reading /etc/passwd is enough to confirm the vulnerability exists.

Product, Version, and Configuration (If applicable)

Pulse Secure 9.0.1.63949

Suggested Mitigation/Remediation Actions

Install updated firmware/os from the Pulse Secure Security Bulletin
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101

Impact

An attacker could compromise this device, and gain access to the DoD networks, compromise other servers, or implant malware.