Vulnerability identifier: #VU26749

Vulnerability risk: High

CVSSv3.1: 8.1 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-11581

CWE-ID: CWE-78

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Ivanti Connect Secure (formerly Pulse Connect Secure)
Server applications / Remote access servers, VPN
Ivanti Policy Secure (formerly Pulse Policy Secure)
Server applications / Remote access servers, VPN

Vendor: Ivanti

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to insufficient validation of user-supplied input in doCustomRemediateInstructions methodm when the Host Checker policy is enforced. A remote attacker with ability to perform MitM attack (see vulnerability #1) can inject and execute arbitrary OS commands on the client system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Ivanti Connect Secure (formerly Pulse Connect Secure): All versions

Ivanti Policy Secure (formerly Pulse Policy Secure): All versions

---

External links
http://git.lsd.cat/g/pulse-host-checker-rce
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44426

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.