Multiple vulnerabilities in Pulse Connect Secure and Pulse Policy Secure
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 13 |
| CVE-ID | CVE-2019-11507 CVE-2018-19519 CVE-2020-8206 CVE-2020-8218 CVE-2020-8221 CVE-2020-8222 CVE-2020-8219 CVE-2020-8220 CVE-2020-12880 CVE-2020-8204 CVE-2020-8217 CVE-2020-8216 CVE-2020-15408 |
| CWE-ID | CWE-79 CWE-126 CWE-287 CWE-78 CWE-22 CWE-264 CWE-77 CWE-284 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #2 is available. Vulnerability #4 is being exploited in the wild. |
| Vulnerable software Subscribe |
Ivanti Connect Secure (formerly Pulse Connect Secure) Server applications / Remote access servers, VPN Ivanti Policy Secure (formerly Pulse Policy Secure) Server applications / Remote access servers, VPN |
| Vendor | Ivanti |
Security Bulletin
This security bulletin contains information about 13 vulnerabilities.
1) Cross-site scripting
EUVDB-ID: #VU27042
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11507
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data on the Application Launcher page. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Ivanti Connect Secure (formerly Pulse Connect Secure): 9.1R1 - 9.1R7
Ivanti Policy Secure (formerly Pulse Policy Secure): 9.1R1 - 9.1R7
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516/p?pubstatus=o
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Stack-based buffer over-read
EUVDB-ID: #VU16161
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-19519
CWE-ID:
CWE-126 - Buffer over-read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information or cause DoS condition.
The vulnerability exists in the print_prefix function, as defined in the print-hncp.c source code file of the affected software due to insufficient initialization of the buf variable. A remote attacker can trick the victim into execution of the tcpdumpcommand on a .pcap file that submits malicious input, trigger a stack-based buffer overread and access sensitive memory information or cause a DoS condition.
MitigationInstall updates from vendor's website.
Ivanti Connect Secure (formerly Pulse Connect Secure): 9.1R1 - 9.1R7
Ivanti Policy Secure (formerly Pulse Policy Secure): 9.1R1 - 9.1R7
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516/p?pubstatus=o
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Improper Authentication
EUVDB-ID: #VU31938
Risk: Medium
CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-8206
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests. A remote attacker can bypass the Google TOTP, if the primary credentials are exposed to attacker.
MitigationInstall updates from vendor's website.
Ivanti Connect Secure (formerly Pulse Connect Secure): 9.1R1 - 9.1R7
Ivanti Policy Secure (formerly Pulse Policy Secure): 9.1R1 - 9.1R7
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516/p?pubstatus=o
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) OS Command Injection
EUVDB-ID: #VU31939
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2020-8218
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the admin panel. A remote authenticated user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Ivanti Connect Secure (formerly Pulse Connect Secure): 9.1R1 - 9.1R7
Ivanti Policy Secure (formerly Pulse Policy Secure): 9.1R1 - 9.1R7
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516/p?pubstatus=o
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
5) Path traversal
EUVDB-ID: #VU31940
Risk: Medium
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-8221
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in the admin panel. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
MitigationInstall updates from vendor's website.
Ivanti Connect Secure (formerly Pulse Connect Secure): 9.1R1 - 9.1R7
Ivanti Policy Secure (formerly Pulse Policy Secure): 9.1R1 - 9.1R7
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516/p?pubstatus=o
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Path traversal
EUVDB-ID: #VU31941
Risk: Medium
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-8222
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in the admin interface. A remote user can send a specially crafted HTTP request and read arbitrary files on the system through Meeting.
MitigationInstall updates from vendor's website.
Ivanti Connect Secure (formerly Pulse Connect Secure): 9.1R1 - 9.1R7
Ivanti Policy Secure (formerly Pulse Policy Secure): 9.1R1 - 9.1R7
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516/p?pubstatus=o
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU31942
Risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-8219
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation. A user administrator can change the password of a full Administrator and escalate privileges on the system.
Install updates from vendor's website.
Ivanti Connect Secure (formerly Pulse Connect Secure): 9.1R1 - 9.1R7
Ivanti Policy Secure (formerly Pulse Policy Secure): 9.1R1 - 9.1R7
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516/p?pubstatus=o
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Command Injection
EUVDB-ID: #VU31943
Risk: Medium
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-8220
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation when processing user-supplied input within the administrator web interface. A remote authenticated user can perform command injection that causes denial of service.
Install updates from vendor's website.
Ivanti Connect Secure (formerly Pulse Connect Secure): 9.1R1 - 9.1R7
Ivanti Policy Secure (formerly Pulse Policy Secure): 9.1R1 - 9.1R7
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516/p?pubstatus=o
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU31944
Risk: Low
CVSSv3.1: 6.6 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-12880
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to escalate privileges on the system.
The vulnerability exists due to improper security restrictions. An attacker with physical access to the device can manipulate kernel boot parameter to gain the root access of VA Appliances.
MitigationInstall updates from vendor's website.
Ivanti Connect Secure (formerly Pulse Connect Secure): 9.1R1 - 9.1R7
Ivanti Policy Secure (formerly Pulse Policy Secure): 9.1R1 - 9.1R7
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516/p?pubstatus=o
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Cross-site scripting
EUVDB-ID: #VU31945
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-8204
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via URL to PSAL Page. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Ivanti Connect Secure (formerly Pulse Connect Secure): 9.1R1 - 9.1R7
Ivanti Policy Secure (formerly Pulse Policy Secure): 9.1R1 - 9.1R7
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516/p?pubstatus=o
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Cross-site scripting
EUVDB-ID: #VU31946
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-8217
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via URL used for Citrix ICA. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Ivanti Connect Secure (formerly Pulse Connect Secure): 9.1R1 - 9.1R7
Ivanti Policy Secure (formerly Pulse Policy Secure): 9.1R1 - 9.1R7
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516/p?pubstatus=o
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Improper access control
EUVDB-ID: #VU31947
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-8216
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote authenticated user can discover find meeting details, if they know the Meeting ID.
MitigationInstall updates from vendor's website.
Ivanti Connect Secure (formerly Pulse Connect Secure): 9.1R1 - 9.1R7
Ivanti Policy Secure (formerly Pulse Policy Secure): 9.1R1 - 9.1R7
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516/p?pubstatus=o
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Improper access control
EUVDB-ID: #VU31948
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15408
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote authenticated user can access the admin panel of the device via the end user web interface through rewrite.
MitigationInstall updates from vendor's website.
Ivanti Connect Secure (formerly Pulse Connect Secure): 9.1R1 - 9.1R7
Ivanti Policy Secure (formerly Pulse Policy Secure): 9.1R1 - 9.1R7
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516/p?pubstatus=o
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
