search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Pulse Secure VPN contains multiple vulnerabilities

Vulnerability Note VU#927237

Original Release Date: 2019-10-16 | Last Revised: 2019-10-23

Overview

Pulse Secure SSL VPN contains multiple vulnerabilities that can allow remote unauthenticated remote attacker to compromise the VPN server and connected clients.

Description

Pulse Secure released an out-of-cycle advisory along with software patches for the various affected products on April 24, 2019. This addressed a number of vulnerabilities including a Remote Code Execution (RCE) vulnerability with pre-authentication access. This vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates. The CVE-2019-11510 has a CVSS score of 10.

The CVEs listed in the advisory are:

CVE-2019-11510 - Unauthenticated remote attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability.
CVE-2019-11509 - Authenticated attacker via the admin web interface can exploit this issue to execute arbitrary code on the Pulse Secure appliance.
CVE-2019-11508 - A vulnerability in the Network File Share (NFS) of Pulse Connect Secure allows an authenticated end-user attacker to upload a malicious file to write arbitrary files to the local system.
CVE-2019-11507 - A XSS issue has been found in Pulse Secure Application Launcher page. Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1, and 9.0.x before 9.0R3.
CVE-2019-11543 - A XSS issue found the admin web console. Pulse Secure Pulse Connect Secure (PCS) 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, and 5.2RX before 5.2R12.1.
CVE-2019-11542 - Authenticated attacker via the admin web interface can send a specially crafted message resulting in a stack buffer overflow.
CVE-2019-11541 - Users using SAML authentication with Reuse Existing NC (Pulse) Session option may see authentication leaks
CVE-2019-11540 - A vulnerability in the Pulse Secure could allow an unauthenticated, remote attacker to conduct a (end user) session hijacking attack.
CVE-2019-11539 - Authenticated attacker via the admin web interface allow attacker to inject and execute command injection
CVE-2019-11538 - A vulnerability in the Network File Share (NFS) of Pulse Connect Secure could allow an authenticated end-user attacker to access the contents of arbitrary files on the local file system.

Exploitation of these vulnerabilities was demonstrated at various events and proved to be highly impactful due to the direct access to admin privileges and the consequent ability to infect multiple VPN connected users and their desktops. Initially there was a lack of clarity about CVE-2019-11510, as to whether it can be mitigated with the requirement of a client-certificate or two-factor authentication (2FA) to prevent this attack. CERT/CC has confirmed with the vendor that this vulnerability cannot be mitigated using client certificate and furthermore there is no viable alternative to updating the Pulse Secure VPN software to a non-vulnerable version. Even if client certificates are required for user authentication, CVE-2019-11510 can be exploited by an unauthenticated remote attacker to obtain session IDs of active users stored in /data/runtime/mtmp/lmdb/randomVal/data.mdb. The attacker can use these session IDs to impersonate as one of the active users. If a Pulse Secure administrator is currently active and the administrative access is available to the attacker, attacker could gain administrative access to Pulse Secure VPN. It is highly recommended that all Pulse Secure VPN administrators perform the required upgrade on all their affected products. If your Pulse Secure VPN has been identified as End of Engineering (EOE) and End of Life (EOL), we highly recommend replacement of the VPN appliance entirely without any delay - please check Pulse Secure advisory for this information.

Timelines of specific events:
March 22, 2019 – Security researcher O. Tsai and M. Chang responsibly disclose vulnerability to Pulse Secure
April 24, 2019 - Initial advisory posted and software updates posted by Pulse Secure to the Download Center
April 25, 2019 – Assignment of CVE-2019-11510, CVE-2019-11509, CVE-2019-11508, CVE-2019-11507, CVE-2019-11543, CVE-2019-11542, CVE-2019-11541, CVE-2019-11540, CVE-2019-11539, CVE-2019-11538
April 26, 2019 - Workaround provided for CVE-2019-11508 about disabling file sharing as a mitigation
May 28 2019 – Large commercial vendors get reports of vulnerable VPN through HackerOne
July 31 2019 – Full RCE use of exploit demonstrated using the admin session hash to get complete shell
August 8 2019 - Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors (Pulse Secure) with detailed attack on active VPN exploitation
August 24, 2019 – Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of an upgrade
October 7, 2019 – NSA produces a Cybersecurity Advisory on Pulse Secure and other VPN products being targeted actively by Advanced Persistent Threat actors

Impact

A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.

Solution

There is no viable workaround except to apply the patch and updates provided by the vendor. It is incorrect to assume use of client certificates or two-factor authentication (2FA) can prevent CVE-2019-11510 RCE pre-auth vulnerability. Updates are available from Pulse Secure Advisory.

CVE-2019-11508 and CVE-2019-11538 can be mitigated by disabling File Sharing on the Pulse Secure VPN appliance.

There are no workarounds that address the other vulnerabilities.

Vendor Information

927237
 
Affected   Unknown   Unaffected

Pulse Secure

Notified:  October 09, 2019 Updated:  October 16, 2019

Status

  Affected

Vendor Statement

Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS).

Vendor Information

Vendor has provided a detailed advisory here.

There is no workaround to address CVE-2019-11510 vulnerability. Pulse Secure recommends software upgrade as soon as possible.

Vendor References


CVSS Metrics

Group Score Vector
Base 9.4 AV:N/AC:L/Au:N/C:C/I:C/A:N
Temporal 8.2 E:H/RL:OF/RC:C
Environmental 8.2 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This vulnerability was reported by Pulse Secure, who in turn credit Orange Tsai and Meh Chang from DEVCORE research team, and Jake Valletta from FireEye

This document was written by Vijay S Sarvepalli.

Other Information

CVE IDs: CVE-2019-11510, CVE-2019-11509, CVE-2019-11508, CVE-2019-11507, CVE-2019-11543, CVE-2019-11542, CVE-2019-11541, CVE-2019-11540, CVE-2019-11539, CVE-2019-11538
Date Public: 2019-04-28
Date First Published: 2019-10-16
Date Last Updated: 2019-10-23 02:35 UTC
Document Revision: 33

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.