High
CVE-2019-11539
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2019-11539
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.
Add Assessment
Ratings
-
Attacker ValueLow
-
ExploitabilityVery High
Technical Analysis
Being an authenticated exploit, it’s certainly of less value to an attacker. Could be used in a privilege escalation context.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityMedium
Technical Analysis
Pulse Secure’s 2019 vulns are garnering another wave of attention this week as a result of the NSA’s newly published list of CVEs exploited by Chinese state actors. Out of the batch of 2019 disclosures from Orange Tsai’s and Meh Chang’s research, CVE-2019-11510, an pre-authenticated arbitrary file read, was the highest priority for attackers and defenders. The pre-auth file read was a necessary primitive for CVE-2019-11539, a post-authentication vuln that enables attackers to execute commands as root on vulnerable Pulse Secure VPN servers.
Exploit chain: CVE-2020-11510 provides necessary info (plaintext/hashed creds, session IDs) that enables a remote attacker to leverage CVE-2020-11539 to execute commands with the highest privilege level. There’s a Metasploit exploit out that automates the exploit chain, but note that a valid admin session is needed. The original blog from the researchers who disclosed the vulns does a great job of explaining in-depth technical details, too—do check it out if you haven’t done so!
Pulse Secure patched these vulnerabilities in April, 2019. Technical details, public research, and exploits were released over the next six months. There’s been plenty of information available to attackers for quite some time now—I hope organizations have patched given the severity of the bugs and the critical position of SSL VPNs.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportThis is a great breakdown. Thank you!
This is a great breakdown. Thank you!
CVSS V3 Severity and Metrics
General Information
Vendors
- ivanti,
- pulsesecure
Products
- connect secure 8.1,
- connect secure 8.2,
- connect secure 8.3,
- pulse connect secure 8.1r1.0,
- pulse connect secure 8.2r1.0,
- pulse connect secure 8.2r1.1,
- pulse connect secure 8.2r2.0,
- pulse connect secure 8.2r3.0,
- pulse connect secure 8.2r3.1,
- pulse connect secure 8.2r4.0,
- pulse connect secure 8.2r4.1,
- pulse connect secure 8.2r5.0,
- pulse connect secure 8.2r5.1,
- pulse connect secure 8.2r6.0,
- pulse connect secure 8.2r7.0,
- pulse connect secure 8.2r7.1,
- pulse connect secure 8.2rx,
- pulse connect secure 8.3rx,
- pulse connect secure 9.0r1,
- pulse connect secure 9.0r2,
- pulse connect secure 9.0r2.1,
- pulse connect secure 9.0r3,
- pulse connect secure 9.0r3.1,
- pulse connect secure 9.0r3.2,
- pulse connect secure 9.0rx,
- pulse policy secure 5.1r1.0,
- pulse policy secure 5.1r1.1,
- pulse policy secure 5.1r10.0,
- pulse policy secure 5.1r11.0,
- pulse policy secure 5.1r11.1,
- pulse policy secure 5.1r12.0,
- pulse policy secure 5.1r12.1,
- pulse policy secure 5.1r13.0,
- pulse policy secure 5.1r14.0,
- pulse policy secure 5.1r2.0,
- pulse policy secure 5.1r2.1,
- pulse policy secure 5.1r3.0,
- pulse policy secure 5.1r3.2,
- pulse policy secure 5.1r4.0,
- pulse policy secure 5.1r5.0,
- pulse policy secure 5.1r6.0,
- pulse policy secure 5.1r7.0,
- pulse policy secure 5.1r8.0,
- pulse policy secure 5.1r9.0,
- pulse policy secure 5.1r9.1,
- pulse policy secure 5.2r1.0,
- pulse policy secure 5.2r10.0,
- pulse policy secure 5.2r11.0,
- pulse policy secure 5.2r2.0,
- pulse policy secure 5.2r3.0,
- pulse policy secure 5.2r3.2,
- pulse policy secure 5.2r4.0,
- pulse policy secure 5.2r5.0,
- pulse policy secure 5.2r6.0,
- pulse policy secure 5.2r7.0,
- pulse policy secure 5.2r7.1,
- pulse policy secure 5.2r8.0,
- pulse policy secure 5.2r9.0,
- pulse policy secure 5.2r9.1,
- pulse policy secure 5.2rx,
- pulse policy secure 5.3r1.0,
- pulse policy secure 5.3r1.1,
- pulse policy secure 5.3r10.,
- pulse policy secure 5.3r11.0,
- pulse policy secure 5.3r12.0,
- pulse policy secure 5.3r2.0,
- pulse policy secure 5.3r3.0,
- pulse policy secure 5.3r3.1,
- pulse policy secure 5.3r4.0,
- pulse policy secure 5.3r4.1,
- pulse policy secure 5.3r5.0,
- pulse policy secure 5.3r5.1,
- pulse policy secure 5.3r5.2,
- pulse policy secure 5.3r6.0,
- pulse policy secure 5.3r7.0,
- pulse policy secure 5.3r8.0,
- pulse policy secure 5.3r8.1,
- pulse policy secure 5.3r8.2,
- pulse policy secure 5.3r9.0,
- pulse policy secure 5.3rx,
- pulse policy secure 5.4r1,
- pulse policy secure 5.4r2,
- pulse policy secure 5.4r2.1,
- pulse policy secure 5.4r3,
- pulse policy secure 5.4r4,
- pulse policy secure 5.4r5,
- pulse policy secure 5.4r5.2,
- pulse policy secure 5.4r6,
- pulse policy secure 5.4r6.1,
- pulse policy secure 5.4r7,
- pulse policy secure 5.4rx,
- pulse policy secure 9.0r1,
- pulse policy secure 9.0r2,
- pulse policy secure 9.0r2.1,
- pulse policy secure 9.0r3,
- pulse policy secure 9.0r3.1,
- pulse policy secure 9.0rx
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Miscellaneous
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: