CVE-2019-11539

Description

In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.

Add Assessment

wwoolwine-r7 (8)

May 14, 2020 5:19pm UTC (4 years ago)•Edited 4 years ago

Ratings

Attacker Value

Low

Exploitability

Very High

Vulnerable in default configuration Authenticated

Technical Analysis

Being an authenticated exploit, it’s certainly of less value to an attacker. Could be used in a privilege escalation context.

ccondon-r7 (286)

October 25, 2020 8:30pm UTC (4 years ago)•Edited 4 years ago

Ratings

Attacker Value

Very High

Exploitability

Medium

Common in enterprise Easy to weaponize Gives privileged access Authenticated

Technical Analysis

Pulse Secure’s 2019 vulns are garnering another wave of attention this week as a result of the NSA’s newly published list of CVEs exploited by Chinese state actors. Out of the batch of 2019 disclosures from Orange Tsai’s and Meh Chang’s research, CVE-2019-11510, an pre-authenticated arbitrary file read, was the highest priority for attackers and defenders. The pre-auth file read was a necessary primitive for CVE-2019-11539, a post-authentication vuln that enables attackers to execute commands as root on vulnerable Pulse Secure VPN servers.

Exploit chain: CVE-2020-11510 provides necessary info (plaintext/hashed creds, session IDs) that enables a remote attacker to leverage CVE-2020-11539 to execute commands with the highest privilege level. There’s a Metasploit exploit out that automates the exploit chain, but note that a valid admin session is needed. The original blog from the researchers who disclosed the vulns does a great job of explaining in-depth technical details, too—do check it out if you haven’t done so!

Pulse Secure patched these vulnerabilities in April, 2019. Technical details, public research, and exploits were released over the next six months. There’s been plenty of information available to attackers for quite some time now—I hope organizations have patched given the severity of the bugs and the critical position of SSL VPNs.

See More &2 repliesSee Less

wvu-r7 (437) October 26, 2020 11:16pm UTC (4 years ago)•Edited 4 years ago

This is a great breakdown. Thank you!

wvu-r7 (437) October 26, 2020 11:16pm UTC (4 years ago)

This is a great breakdown. Thank you!

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.2 High

Impact Score:

5.9

Exploitability Score:

1.2

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

High

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

ivanti,
pulsesecure

Products

connect secure 8.1,
connect secure 8.2,
connect secure 8.3,
pulse connect secure 8.1r1.0,
pulse connect secure 8.2r1.0,
pulse connect secure 8.2r1.1,
pulse connect secure 8.2r2.0,
pulse connect secure 8.2r3.0,
pulse connect secure 8.2r3.1,
pulse connect secure 8.2r4.0,
pulse connect secure 8.2r4.1,
pulse connect secure 8.2r5.0,
pulse connect secure 8.2r5.1,
pulse connect secure 8.2r6.0,
pulse connect secure 8.2r7.0,
pulse connect secure 8.2r7.1,
pulse connect secure 8.2rx,
pulse connect secure 8.3rx,
pulse connect secure 9.0r1,
pulse connect secure 9.0r2,
pulse connect secure 9.0r2.1,
pulse connect secure 9.0r3,
pulse connect secure 9.0r3.1,
pulse connect secure 9.0r3.2,
pulse connect secure 9.0rx,
pulse policy secure 5.1r1.0,
pulse policy secure 5.1r1.1,
pulse policy secure 5.1r10.0,
pulse policy secure 5.1r11.0,
pulse policy secure 5.1r11.1,
pulse policy secure 5.1r12.0,
pulse policy secure 5.1r12.1,
pulse policy secure 5.1r13.0,
pulse policy secure 5.1r14.0,
pulse policy secure 5.1r2.0,
pulse policy secure 5.1r2.1,
pulse policy secure 5.1r3.0,
pulse policy secure 5.1r3.2,
pulse policy secure 5.1r4.0,
pulse policy secure 5.1r5.0,
pulse policy secure 5.1r6.0,
pulse policy secure 5.1r7.0,
pulse policy secure 5.1r8.0,
pulse policy secure 5.1r9.0,
pulse policy secure 5.1r9.1,
pulse policy secure 5.2r1.0,
pulse policy secure 5.2r10.0,
pulse policy secure 5.2r11.0,
pulse policy secure 5.2r2.0,
pulse policy secure 5.2r3.0,
pulse policy secure 5.2r3.2,
pulse policy secure 5.2r4.0,
pulse policy secure 5.2r5.0,
pulse policy secure 5.2r6.0,
pulse policy secure 5.2r7.0,
pulse policy secure 5.2r7.1,
pulse policy secure 5.2r8.0,
pulse policy secure 5.2r9.0,
pulse policy secure 5.2r9.1,
pulse policy secure 5.2rx,
pulse policy secure 5.3r1.0,
pulse policy secure 5.3r1.1,
pulse policy secure 5.3r10.,
pulse policy secure 5.3r11.0,
pulse policy secure 5.3r12.0,
pulse policy secure 5.3r2.0,
pulse policy secure 5.3r3.0,
pulse policy secure 5.3r3.1,
pulse policy secure 5.3r4.0,
pulse policy secure 5.3r4.1,
pulse policy secure 5.3r5.0,
pulse policy secure 5.3r5.1,
pulse policy secure 5.3r5.2,
pulse policy secure 5.3r6.0,
pulse policy secure 5.3r7.0,
pulse policy secure 5.3r8.0,
pulse policy secure 5.3r8.1,
pulse policy secure 5.3r8.2,
pulse policy secure 5.3r9.0,
pulse policy secure 5.3rx,
pulse policy secure 5.4r1,
pulse policy secure 5.4r2,
pulse policy secure 5.4r2.1,
pulse policy secure 5.4r3,
pulse policy secure 5.4r4,
pulse policy secure 5.4r5,
pulse policy secure 5.4r5.2,
pulse policy secure 5.4r6,
pulse policy secure 5.4r6.1,
pulse policy secure 5.4r7,
pulse policy secure 5.4rx,
pulse policy secure 9.0r1,
pulse policy secure 9.0r2,
pulse policy secure 9.0r2.1,
pulse policy secure 9.0r3,
pulse policy secure 9.0r3.1,
pulse policy secure 9.0rx

Metasploit Modules

Pulse Secure VPN Arbitrary Command Execution (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/pulse_secure_cmd_exec.rb)

Exploited in the Wild

Reported by:

kreavis-r7

Reported: October 01, 2020 6:57pm UTC (4 years ago)

gwillcox-r7 indicated source as News Article or Blog (https://securityintelligence.com/posts/egregor-ransomware-negotiations-uncovered/)

Reported: January 19, 2022 5:24pm UTC (2 years ago)

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:17am UTC (2 weeks ago)

References

Rapid7

High

High

High

None

High

Network

CVE-2019-11539

Description