Lucene search

K
myhack58佚名MYHACK58:62201995674
HistoryAug 27, 2019 - 12:00 a.m.

Pulse Secure SSL VPN vulnerability alerts-a vulnerability alert-the black bar safety net

2019-08-2700:00:00
佚名
www.myhack58.com
464

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.974 High

EPSS

Percentile

99.9%

360CERT detected related to security researcher published the Pulse Secure SSL VPN multiple vulnerabilities. Attacks that can exploit the vulnerability to read arbitrary files, including plaintext passwords, account information and Session information, as well as into the background after the implementation of system commands.

0x01 vulnerability details
Vulnerability ID:
CVE-2019-11510 – unauthorized arbitrary file read vulnerability
CVE-2019-11542 – after the authorization stack buffer overflow vulnerability
CVE-2019-11539 – after the grant command injection vulnerability
CVE-2019-11538 – authorized to arbitrarily file read vulnerability
CVE-2019-11508 – authorized to arbitrarily file write vulnerability
CVE-2019-11540 – after the authorization session hijacking vulnerability
Vulnerability impact:
CVE-2019-11510: in the case of authorization can read the system any files
the /etc/passwd
the /etc/hosts
/data/runtime/mtmp/system
/data/runtime/mtmp/lmdb/dataa/data. mdb
/data/runtime/mtmp/lmdb/dataa/lock. mdb
/data/runtime/mtmp/lmdb/randomVal/data. mdb
/data/runtime/mtmp/lmdb/randomVal/lock. mdb
Vpn user and password hash is stored mtmp/system, dataa/data. the mdb stores the user login after the cache of the plaintext password, randomVal/data. the mdb stores user Session. An attacker could exploit this vulnerability to obtain account and password login background.
CVE-2019-11539: background a command injection vulnerability, in the use of on the step into the background after can be combined with this hole to perform system commands.
! [](/Article/UploadPic/2019-8/201982711131470. png)
(Note: the picture cut to the Orange Tsai BlackHat PPT) note: some exploit script has been in the online public, does not exclude that there are already hackers began exploiting the vulnerability to attack.

0x02 impact version
Vulnerability number
Impact version
CVE-2019-11510
Pulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX
CVE-2019-11542
Pulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX 8.1 RX and Pulse Policy Secure: 9.0 RX 5.4 RX 5.3 RX 5.2 RX 5.1 RX
CVE-2019-11539
Pulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX 8.1 RX and Pulse Policy Secure: 9.0 RX 5.4 RX 5.3 RX 5.2 RX 5.1 RX
CVE-2019-11538
Pulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX 8.1 RX
CVE-2019-11508
Pulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX 8.1 RX
CVE-2019-11540
Pulse Connect Secure: 9.0 RX 8.3 RX and Pulse Policy Secure: 9.0 RX 5.4 RX

0x03 repair recommendations
Authorities have released the fix version: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/

0x04 timeline
2019-08-10 section vulnerability details disclosed
2019-08-21 part of the exploit script open
2019-08-26 360CERT warning

0x05 reference links
https://hackerone.com/reports/591295
https://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa-pre-auth-rce-on-leading-ssl-vpns-15545

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.974 High

EPSS

Percentile

99.9%