Vulners
Lucene search
Pulse Secure Client For Windows Local Privilege Escalation Vulnerability
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | Exploit for Time-of-check Time-of-use (TOCTOU) Race Condition in Pulsesecure Pulse_Secure_Desktop_Client | 2 Sep 202017:58 | – | githubexploit |
 | CVE-2020-13162 | 16 Jun 202000:00 | – | attackerkb |
 | The vulnerability of the executable file PulseSecureService.exe in the corporate SSL-based VPN Pulse Secure Desktop Client allows a hacker to increase their privileges. | 16 Apr 202100:00 | – | bdu_fstec |
 | CVE-2020-13162 | 2 Sep 202020:27 | – | circl |
 | CVE-2020-13162 | 16 Jun 202019:41 | – | cve |
 | CVE-2020-13162 | 16 Jun 202019:41 | – | cvelist |
 | EUVD-2020-5435 | 7 Oct 202500:30 | – | euvd |
 | 2020-06: Out-of-Cycle Advisory: Pulse Secure Client TOCTOU Privilege Escalation Vulnerability (CVE-2020-13162) | 14 Feb 202307:22 | – | ivanti |
 | Vulnerability fixed in Pulse Secure Client for Windows | 18 Jun 202000:00 | – | ncsc |
 | CVE-2020-13162 | 16 Jun 202020:15 | – | nvd |
10
Pulse Secure is recognized among the top 10 Network Access Control (NAC)
vendors by global revenue market share. The company declares that "80%
of Fortune 500 trust its VPN products by protecting over 20 million
users".
At Red Timmy Security we have discovered that Pulse Secure Client for
Windows suffers of a local privilege escalation vulnerability in the
“PulseSecureService.exe” service. Exploiting this issue allows an
attacker to trick “PulseSecureService.exe” into running an arbitrary
Microsoft Installer executable (“.msi”) with SYSTEM privileges, granting
them administrative rights.
The vulnerability lies in the “dsInstallerService” component, which
provides non-administrative users the ability to install or update new
components using installers provided by Pulse Secure. While
“dsInstallerService” performs a signature verification on the content of
the installer, it has been found that it’s possible to bypass the check
providing the service with a legit Pulse Secure installer and swapping
it with a malicious one after the verification
We have registered CVE-2020-13162 for this vulnerability.
Full story here:
https://www.redtimmy.com/privilege-escalation/pulse-secure-client-for-windows-9-1-6-toctou-privilege-escalation-cve-2020-13162/
Disclosure Timeline
-------------------
Vulnerability discovered: April 13th, 2020
Vendor contacted: April 15th, 2020
Vendor's reply: April 17th, 2020
Vendor patch released: May 22nd, 2020
Red Timmy Disclosure: June 16th, 2020
Bug discovered by: Giuseppe Calì
Exploit by: Marco Ortisi & Giuseppe Calì
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Jun 2020 00:00Current
0.4Low risk
Vulners AI Score0.4
CVSS 26.9
CVSS 3.17
EPSS0.00347
SSVC