Multiple vulnerabilities in Pulse Connect Secure and Pulse Policy Secure



Published: 2019-04-25 | Updated: 2020-04-22
Risk Medium
Patch available YES
Number of vulnerabilities 15
CVE-ID CVE-2019-11510
CVE-2019-11508
CVE-2019-11540
CVE-2019-11543
CVE-2019-11541
CVE-2019-11542
CVE-2019-11539
CVE-2019-11538
CVE-2019-11509
CVE-2019-11507
CVE-2018-16513
CVE-2018-18284
CVE-2018-15911
CVE-2018-15910
CVE-2018-15909
CWE-ID CWE-22
CWE-384
CWE-79
CWE-200
CWE-121
CWE-78
CWE-264
CWE-284
CWE-843
CWE-94
CWE-20
Exploitation vector Network
Public exploit Vulnerability #1 is being exploited in the wild.
Vulnerability #7 is being exploited in the wild.
Public exploit code for vulnerability #11 is available.
Public exploit code for vulnerability #12 is available.
Public exploit code for vulnerability #15 is available.
Vulnerable software
Subscribe
Pulse Connect Secure
Server applications / Remote access servers, VPN

Pulse Policy Secure
Server applications / Remote access servers, VPN

Vendor Pulse Secure

Security Bulletin

This security bulletin contains information about 15 vulnerabilities.

1) Path traversal

EUVDB-ID: #VU27029

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-11510

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to read arbitrary files on the system.

The vulnerability exists due to input validation error when processing HTTP requests in Pulse Connect Secure. A remote non-authenticated attacker can send a specially crafted HTTP request and read contents of arbitrary files on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pulse Connect Secure: 8.2R1 - 9.0R3.2


CPE2.3 External links

http://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html
http://packetstormsecurity.com/files/154231/Pulse-Secure-SSL-VPN-File-Disclosure-NSE.html
http://www.securityfocus.com/bid/108073
http://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/
http://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/
http://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
http://kb.pulsesecure.net/?atype=sa
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
http://lists.apache.org/thread.html/ff5fa1837b6bd1b24d18a42faa75e165a4573dbe2d434910c15fd08a@%3Cuser.guacamole.apache.org%3E
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Path traversal

EUVDB-ID: #VU27030

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-11508

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing file uploads within Network File Share (NFS) feature of Pulse Connect Secure. A remote authenticated user can can send a specially crafted HTTP request and upload dangerous files to arbitrary locations on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pulse Connect Secure: 8.1R1.0 - 9.0R3.2


CPE2.3 External links

http://kb.pulsesecure.net/?atype=sa
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

3) Session Fixation

EUVDB-ID: #VU27035

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-11540

CWE-ID: CWE-384 - Session Fixation

Exploit availability: No

Description

The vulnerability allows a remote attacker to hijack users' sessions.

The vulnerability exists due to insufficient session validation in Pulse Connect Secure and Pulse Policy Secure. A remote attacker can can conduct a session hijacking attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Pulse Connect Secure: 8.3R1 - 9.0R3.2

Pulse Policy Secure: 5.4R1 - 9.0R3.1


CPE2.3 External links

http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

4) Cross-site scripting

EUVDB-ID: #VU27036

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-11543

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Pulse Connect Secure: 8.1R1.0 - 9.0R3.2

Pulse Policy Secure: 5.2R1.0 - 9.0R3.1


CPE2.3 External links

http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
http://www.kb.cert.org/vuls/id/927237

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

5) Information disclosure

EUVDB-ID: #VU27037

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-11541

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to information leak, when SAML authentication with the Reuse Existing NC (Pulse) Session option is used. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Pulse Connect Secure: 8.2R1 - 9.0R3.2


CPE2.3 External links

http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
http://www.kb.cert.org/vuls/id/927237

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

6) Stack-based buffer overflow

EUVDB-ID: #VU27038

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-11542

CWE-ID: CWE-121 - Stack-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in Pulse Connect Secure and Pulse Policy Secure. A remote authenticated authenticated user (via the admin web interface)  can send specially crafted message, trigger a stack-based buffer overflow and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Pulse Connect Secure: 8.1R1.0 - 9.0R3.2

Pulse Policy Secure: 5.1R1.0 - 9.0R3.1


CPE2.3 External links

http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

7) OS Command Injection

EUVDB-ID: #VU27039

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-11539

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in admin web interface of Pulse Connect Secure and Pulse Policy Secure. A remote authenticated user can execute arbitrary OS commands.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Pulse Connect Secure: 8.1R1.0 - 9.0R3.2

Pulse Policy Secure: 5.1R1.0 - 9.0R3.1


CPE2.3 External links

http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

8) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU27040

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-11538

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information on the system.

The vulnerability exists due to improper privilege management in NFS functionality. A remote authenticated user can view contents of arbitrary files on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Pulse Connect Secure: 8.1R1.0 - 9.0R3.2


CPE2.3 External links

http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

9) Improper access control

EUVDB-ID: #VU27041

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-11509

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions within the admin web interface in Pulse Connect Secure and Pulse Policy Secure. A remote authenticated user can bypass implemented security restrictions and execute arbitrary system commands on the appliance.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Pulse Connect Secure: 8.1R1.0 - 9.0R3.2

Pulse Policy Secure: 5.1R1.0 - 9.0R3.1


CPE2.3 External links

http://kb.pulsesecure.net/?atype=sa
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
http://www.kb.cert.org/vuls/id/927237

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

10) Cross-site scripting

EUVDB-ID: #VU27042

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-11507

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data on the Application Launcher page. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Pulse Connect Secure: 8.3R1 - 9.0R3.2


CPE2.3 External links

http://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/
http://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
http://kb.pulsesecure.net/?atype=sa
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

11) Type confusion

EUVDB-ID: #VU14689

Risk: High

CVSSv3.1:

CVE-ID: CVE-2018-16513

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.

The vulnerability exists due to a type confusion condition in the setcolor function. A remote unauthenticated attacker can trick the victim into opening a specially crafted PostScript file that submits malicious input and cause the affected software to crash or execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Pulse Connect Secure: 8.2R1 - 9.0R3.2


CPE2.3 External links

http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

12) Code injection

EUVDB-ID: #VU15463

Risk: High

CVSSv3.1:

CVE-ID: CVE-2018-18284

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass the sandbox protection mechanism on the target system.

The vulnerability exists due to the failure of the sandbox protection mechanism of the affected software when the 1Policy operator is used. A remote unauthenticated attacker can trick the victim into accessing a PostScript file that submits malicious input, bypass the sandbox protection mechanism and modify or replace error handlers used by the software, which the attacker could use to inject and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Pulse Connect Secure: 8.2R1 - 9.0R3.2


CPE2.3 External links

http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

13) Improper input validation

EUVDB-ID: #VU14562

Risk: High

CVSSv3.1:

CVE-ID: CVE-2018-15911

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to the bypass of the -dSAFER option. A remote unauthenticated attacker can submit a specially crafted PostScript file, cause uninitialized memory access in the aesdecode operator and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise. 

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Pulse Connect Secure: 8.2R1 - 9.0R3.2


CPE2.3 External links

http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

14) Type confusion

EUVDB-ID: #VU14564

Risk: High

CVSSv3.1:

CVE-ID: CVE-2018-15910

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to the bypass of the -dSAFER option. A remote unauthenticated attacker can submit a specially crafted PostScript file, trigger type confusion in LockDistillerParams parameter and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Pulse Connect Secure: 8.2R1 - 9.0R3.2


CPE2.3 External links

http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

15) Improper input validation

EUVDB-ID: #VU14496

Risk: High

CVSSv3.1:

CVE-ID: CVE-2018-15909

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions and execute arbitrary system commands.

The vulnerability exists due to improper input validation when processing malformed PostScript, PDF, EPS, or XPS files. A remote attacker can supply a specially crafted file, bypass -dSAFER restrictions and execute arbitrary commands on vulnerable system.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

Pulse Connect Secure: 8.2R1 - 9.0R3.2


CPE2.3 External links

http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###