Pulse Secure SSL VPN Vulnerabilities Alert

Researcher detected multiple vulnerabilities in the Pulse Secure SSL VPN. These vulnerabilities can exploit the vulnerability to read arbitrary files including plaintext passwords, account information, and session information, as well as execute system commands.

Vulnerability detail

  • CVE-2019-11510 – Pre-auth Arbitrary File Reading
  • CVE-2019-11542 – Post-auth Stack Buffer Overflow
  • CVE-2019-11539 – Post-auth Command Injection
  • CVE-2019-11538 – Post-auth Arbitrary File Reading
  • CVE-2019-11508 – Post-auth Arbitrary File Writing
  • CVE-2019-11540 – Post-auth Session Hijacking

CVE-2019-11510: Read any system files without authorization.

/etc/passwd
/etc/hosts
/data/runtime/mtmp/system
/data/runtime/mtmp/lmdb/dataa/data.mdb
/data/runtime/mtmp/lmdb/dataa/lock.mdb
/data/runtime/mtmp/lmdb/randomVal/data.mdb
/data/runtime/mtmp/lmdb/randomVal/lock.mdb

The VPN user and hashed passwords are stored in the file mtmp/system. However, Pulse Secure caches the plain-text password in the dataa/data.mdb once the user log-in. Here, we just grep part of username/plain-text-password for proofs and further actions.

CVE-2019-11539: the command injection vulnerability can be combined with this hole to execute system commands.

Affected version

CVE-2019-11510 Pulse Connect Secure: 9.0RX 8.3RX 8.2RX
CVE-2019-11542 Pulse Connect Secure: 9.0RX 8.3RX 8.2RX 8.1RX ,Pulse Policy Secure:9.0RX 5.4RX 5.3RX 5.2RX 5.1RX
CVE-2019-11539 Pulse Connect Secure: 9.0RX 8.3RX 8.2RX 8.1RX , Pulse Policy Secure: 9.0RX 5.4RX 5.3RX 5.2RX 5.1RX
CVE-2019-11538 Pulse Connect Secure: 9.0RX 8.3RX 8.2RX 8.1RX
CVE-2019-11508 Pulse Connect Secure: 9.0RX 8.3RX 8.2RX 8.1RX
CVE-2019-11540 Pulse Connect Secure: 9.0RX 8.3RX ,Pulse Policy Secure: 9.0RX 5.4RX

Solution

  • Pulse Connect Secure and Pulse Policy Secure 9.1R1 and above
  • All patched versions stated in the Solution Section
If the PCS/PPS version is installed: Then deploy this version (or later)
to resolve the issue:
Expected Release Notes (if any)
Pulse Connect Secure 9.0RX
Pulse Connect Secure 9.0R3.4 & 9.0R4 Available Now
Pulse Connect Secure 8.3RX Pulse Connect Secure 8.3R7.1 Available Now
Pulse Connect Secure 8.2RX Pulse Connect Secure 8.2R12.1 Available Now
Pulse Connect Secure 8.1RX Pulse Connect Secure 8.1R15.1 Available Now
Pulse Policy Secure 9.0RX Pulse Policy Secure 9.0R3.2 & 9.0R4 Available Now
Pulse Policy Secure 5.4RX Pulse Policy Secure 5.4R7.1 Available Now
Pulse Policy Secure 5.3RX Pulse Policy Secure 5.3R12.1 Available Now
Pulse Policy Secure 5.2RX Pulse Policy Secure 5.2R12.1 Available Now
Pulse Policy Secure 5.1RX Pulse Policy Secure 5.1R15.1 Available Now