δ½εMYHACK58:62201995674Pulse Secure SSL VPN vulnerability alerts-a vulnerability alert-the black bar safety net
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
360CERT detected related to security researcher published the Pulse Secure SSL VPN multiple vulnerabilities. Attacks that can exploit the vulnerability to read arbitrary files, including plaintext passwords, account information and Session information, as well as into the background after the implementation of system commands.
0x01 vulnerability details
Vulnerability ID:
CVE-2019-11510 β unauthorized arbitrary file read vulnerability
CVE-2019-11542 β after the authorization stack buffer overflow vulnerability
CVE-2019-11539 β after the grant command injection vulnerability
CVE-2019-11538 β authorized to arbitrarily file read vulnerability
CVE-2019-11508 β authorized to arbitrarily file write vulnerability
CVE-2019-11540 β after the authorization session hijacking vulnerability
Vulnerability impact:
CVE-2019-11510: in the case of authorization can read the system any files
the /etc/passwd
the /etc/hosts
/data/runtime/mtmp/system
/data/runtime/mtmp/lmdb/dataa/data. mdb
/data/runtime/mtmp/lmdb/dataa/lock. mdb
/data/runtime/mtmp/lmdb/randomVal/data. mdb
/data/runtime/mtmp/lmdb/randomVal/lock. mdb
Vpn user and password hash is stored mtmp/system, dataa/data. the mdb stores the user login after the cache of the plaintext password, randomVal/data. the mdb stores user Session. An attacker could exploit this vulnerability to obtain account and password login background.
CVE-2019-11539: background a command injection vulnerability, in the use of on the step into the background after can be combined with this hole to perform system commands.
! [](/Article/UploadPic/2019-8/201982711131470. png)
(Note: the picture cut to the Orange Tsai BlackHat PPT) note: some exploit script has been in the online public, does not exclude that there are already hackers began exploiting the vulnerability to attack.
0x02 impact version
Vulnerability number
Impact version
CVE-2019-11510
Pulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX
CVE-2019-11542
Pulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX 8.1 RX and Pulse Policy Secure: 9.0 RX 5.4 RX 5.3 RX 5.2 RX 5.1 RX
CVE-2019-11539
Pulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX 8.1 RX and Pulse Policy Secure: 9.0 RX 5.4 RX 5.3 RX 5.2 RX 5.1 RX
CVE-2019-11538
Pulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX 8.1 RX
CVE-2019-11508
Pulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX 8.1 RX
CVE-2019-11540
Pulse Connect Secure: 9.0 RX 8.3 RX and Pulse Policy Secure: 9.0 RX 5.4 RX
0x03 repair recommendations
Authorities have released the fix version: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
0x04 timeline
2019-08-10 section vulnerability details disclosed
2019-08-21 part of the exploit script open
2019-08-26 360CERT warning
0x05 reference links
https://hackerone.com/reports/591295
https://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa-pre-auth-rce-on-leading-ssl-vpns-15545
Related
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P