Pulse Secure SSL VPN Vulnerabilities Alert
Researcher detected multiple vulnerabilities in the Pulse Secure SSL VPN. These vulnerabilities can exploit the vulnerability to read arbitrary files including plaintext passwords, account information, and session information, as well as execute system commands.
Vulnerability detail
- CVE-2019-11510 – Pre-auth Arbitrary File Reading
- CVE-2019-11542 – Post-auth Stack Buffer Overflow
- CVE-2019-11539 – Post-auth Command Injection
- CVE-2019-11538 – Post-auth Arbitrary File Reading
- CVE-2019-11508 – Post-auth Arbitrary File Writing
- CVE-2019-11540 – Post-auth Session Hijacking
CVE-2019-11510: Read any system files without authorization.
/etc/passwd
/etc/hosts
/data/runtime/mtmp/system
/data/runtime/mtmp/lmdb/dataa/data.mdb
/data/runtime/mtmp/lmdb/dataa/lock.mdb
/data/runtime/mtmp/lmdb/randomVal/data.mdb
/data/runtime/mtmp/lmdb/randomVal/lock.mdb
The VPN user and hashed passwords are stored in the file mtmp/system. However, Pulse Secure caches the plain-text password in the dataa/data.mdb once the user log-in. Here, we just grep part of username/plain-text-password for proofs and further actions.
CVE-2019-11539: the command injection vulnerability can be combined with this hole to execute system commands.
Affected version
| CVE-2019-11510 | Pulse Connect Secure: 9.0RX 8.3RX 8.2RX |
| CVE-2019-11542 | Pulse Connect Secure: 9.0RX 8.3RX 8.2RX 8.1RX ,Pulse Policy Secure:9.0RX 5.4RX 5.3RX 5.2RX 5.1RX |
| CVE-2019-11539 | Pulse Connect Secure: 9.0RX 8.3RX 8.2RX 8.1RX , Pulse Policy Secure: 9.0RX 5.4RX 5.3RX 5.2RX 5.1RX |
| CVE-2019-11538 | Pulse Connect Secure: 9.0RX 8.3RX 8.2RX 8.1RX |
| CVE-2019-11508 | Pulse Connect Secure: 9.0RX 8.3RX 8.2RX 8.1RX |
| CVE-2019-11540 | Pulse Connect Secure: 9.0RX 8.3RX ,Pulse Policy Secure: 9.0RX 5.4RX |
Solution
- Pulse Connect Secure and Pulse Policy Secure 9.1R1 and above
- All patched versions stated in the Solution Section
| If the PCS/PPS version is installed: | Then deploy this version (or later) to resolve the issue: |
Expected Release | Notes (if any) |
|
Pulse Connect Secure 9.0RX
|
Pulse Connect Secure 9.0R3.4 & 9.0R4 | Available Now | |
| Pulse Connect Secure 8.3RX | Pulse Connect Secure 8.3R7.1 | Available Now | |
| Pulse Connect Secure 8.2RX | Pulse Connect Secure 8.2R12.1 | Available Now | |
| Pulse Connect Secure 8.1RX | Pulse Connect Secure 8.1R15.1 | Available Now | |
| Pulse Policy Secure 9.0RX | Pulse Policy Secure 9.0R3.2 & 9.0R4 | Available Now | |
| Pulse Policy Secure 5.4RX | Pulse Policy Secure 5.4R7.1 | Available Now | |
| Pulse Policy Secure 5.3RX | Pulse Policy Secure 5.3R12.1 | Available Now | |
| Pulse Policy Secure 5.2RX | Pulse Policy Secure 5.2R12.1 | Available Now | |
| Pulse Policy Secure 5.1RX | Pulse Policy Secure 5.1R15.1 | Available Now |
