Multiple vulnerabilities in Pulse Connect Secure and Pulse Policy Secure
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 15 |
| CVE-ID | CVE-2019-11510 CVE-2019-11508 CVE-2019-11540 CVE-2019-11543 CVE-2019-11541 CVE-2019-11542 CVE-2019-11539 CVE-2019-11538 CVE-2019-11509 CVE-2019-11507 CVE-2018-16513 CVE-2018-18284 CVE-2018-15911 CVE-2018-15910 CVE-2018-15909 |
| CWE-ID | CWE-22 CWE-384 CWE-79 CWE-200 CWE-121 CWE-78 CWE-264 CWE-284 CWE-843 CWE-94 CWE-20 |
| Exploitation vector | Network |
| Public exploit |
Vulnerability #1 is being exploited in the wild. Vulnerability #7 is being exploited in the wild. Public exploit code for vulnerability #11 is available. Public exploit code for vulnerability #12 is available. Public exploit code for vulnerability #15 is available. |
| Vulnerable software Subscribe |
Ivanti Connect Secure (formerly Pulse Connect Secure) Server applications / Remote access servers, VPN Ivanti Policy Secure (formerly Pulse Policy Secure) Server applications / Remote access servers, VPN |
| Vendor | Ivanti |
Security Bulletin
This security bulletin contains information about 15 vulnerabilities.
1) Path traversal
EUVDB-ID: #VU27029
Risk: Medium
CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C]
CVE-ID: CVE-2019-11510
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to read arbitrary files on the system.
The vulnerability exists due to input validation error when processing HTTP requests in Pulse Connect Secure. A remote non-authenticated attacker can send a specially crafted HTTP request and read contents of arbitrary files on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIvanti Connect Secure (formerly Pulse Connect Secure): 8.2R1 - 9.0R3.2
External linkshttp://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html
http://packetstormsecurity.com/files/154231/Pulse-Secure-SSL-VPN-File-Disclosure-NSE.html
http://www.securityfocus.com/bid/108073
http://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/
http://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/
http://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
http://kb.pulsesecure.net/?atype=sa
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
http://lists.apache.org/thread.html/ff5fa1837b6bd1b24d18a42faa75e165a4573dbe2d434910c15fd08a@%3Cuser.guacamole.apache.org%3E
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
2) Path traversal
EUVDB-ID: #VU27030
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11508
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing file uploads within Network File Share (NFS) feature of Pulse Connect Secure. A remote authenticated user can can send a specially crafted HTTP request and upload dangerous files to arbitrary locations on the system.
Install update from vendor's website.
Vulnerable software versionsIvanti Connect Secure (formerly Pulse Connect Secure): 8.1R1.0 - 9.0R3.2
External linkshttp://kb.pulsesecure.net/?atype=sa
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Session Fixation
EUVDB-ID: #VU27035
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11540
CWE-ID:
CWE-384 - Session Fixation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to hijack users' sessions.
The vulnerability exists due to insufficient session validation in Pulse Connect Secure and Pulse Policy Secure. A remote attacker can can conduct a session hijacking attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsIvanti Connect Secure (formerly Pulse Connect Secure): 8.3R1 - 9.0R3.2
Ivanti Policy Secure (formerly Pulse Policy Secure): 5.4R1 - 9.0R3.1
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Cross-site scripting
EUVDB-ID: #VU27036
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11543
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsIvanti Connect Secure (formerly Pulse Connect Secure): 8.1R1.0 - 9.0R3.2
Ivanti Policy Secure (formerly Pulse Policy Secure): 5.2R1.0 - 9.0R3.1
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
http://www.kb.cert.org/vuls/id/927237
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Information disclosure
EUVDB-ID: #VU27037
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11541
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to information leak, when SAML authentication with the Reuse Existing NC (Pulse) Session option is used. A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsIvanti Connect Secure (formerly Pulse Connect Secure): 8.2R1 - 9.0R3.2
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
http://www.kb.cert.org/vuls/id/927237
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Stack-based buffer overflow
EUVDB-ID: #VU27038
Risk: Medium
CVSSv3.1: 5.8 [CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11542
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Pulse Connect Secure and Pulse Policy Secure. A remote authenticated authenticated user (via the admin web interface) can send specially crafted message, trigger a stack-based buffer overflow and execute arbitrary code on the system.
Install updates from vendor's website.
Vulnerable software versionsIvanti Connect Secure (formerly Pulse Connect Secure): 8.1R1.0 - 9.0R3.2
Ivanti Policy Secure (formerly Pulse Policy Secure): 5.1R1.0 - 9.0R3.1
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) OS Command Injection
EUVDB-ID: #VU27039
Risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2019-11539
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in admin web interface of Pulse Connect Secure and Pulse Policy Secure. A remote authenticated user can execute arbitrary OS commands.
Install updates from vendor's website.
Vulnerable software versionsIvanti Connect Secure (formerly Pulse Connect Secure): 8.1R1.0 - 9.0R3.2
Ivanti Policy Secure (formerly Pulse Policy Secure): 5.1R1.0 - 9.0R3.1
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
8) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU27040
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11538
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information on the system.
The vulnerability exists due to improper privilege management in NFS functionality. A remote authenticated user can view contents of arbitrary files on the system.
Install updates from vendor's website.
Vulnerable software versionsIvanti Connect Secure (formerly Pulse Connect Secure): 8.1R1.0 - 9.0R3.2
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Improper access control
EUVDB-ID: #VU27041
Risk: Medium
CVSSv3.1: 5.8 [CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11509
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions within the admin web interface in Pulse Connect Secure and Pulse Policy Secure. A remote authenticated user can bypass implemented security restrictions and execute arbitrary system commands on the appliance.
Install updates from vendor's website.
Vulnerable software versionsIvanti Connect Secure (formerly Pulse Connect Secure): 8.1R1.0 - 9.0R3.2
Ivanti Policy Secure (formerly Pulse Policy Secure): 5.1R1.0 - 9.0R3.1
External linkshttp://kb.pulsesecure.net/?atype=sa
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
http://www.kb.cert.org/vuls/id/927237
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Cross-site scripting
EUVDB-ID: #VU27042
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11507
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data on the Application Launcher page. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsIvanti Connect Secure (formerly Pulse Connect Secure): 8.3R1 - 9.0R3.2
External linkshttp://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/
http://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
http://kb.pulsesecure.net/?atype=sa
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Type confusion
EUVDB-ID: #VU14689
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-16513
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.
The vulnerability exists due to a type confusion condition in the setcolor function. A remote unauthenticated attacker can trick the victim into opening a specially crafted PostScript file that submits malicious input and cause the affected software to crash or execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Ivanti Connect Secure (formerly Pulse Connect Secure): 8.2R1 - 9.0R3.2
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
12) Code injection
EUVDB-ID: #VU15463
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-18284
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass the sandbox protection mechanism on the target system.
The vulnerability exists due to the failure of the sandbox protection mechanism of the affected software when the 1Policy operator is used. A remote unauthenticated attacker can trick the victim into accessing a PostScript file that submits malicious input, bypass the sandbox protection mechanism and modify or replace error handlers used by the software, which the attacker could use to inject and execute arbitrary code on the system.
MitigationInstall updates from vendor's website.
Ivanti Connect Secure (formerly Pulse Connect Secure): 8.2R1 - 9.0R3.2
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
13) Improper input validation
EUVDB-ID: #VU14562
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-15911
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the bypass of the -dSAFER option. A remote unauthenticated attacker can submit a specially crafted PostScript file, cause uninitialized memory access in the aesdecode operator and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's website.
Ivanti Connect Secure (formerly Pulse Connect Secure): 8.2R1 - 9.0R3.2
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Type confusion
EUVDB-ID: #VU14564
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-15910
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the bypass of the -dSAFER option. A remote unauthenticated attacker can submit a specially crafted PostScript file, trigger type confusion in LockDistillerParams parameter and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
MitigationInstall updates from vendor's website.
Ivanti Connect Secure (formerly Pulse Connect Secure): 8.2R1 - 9.0R3.2
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Improper input validation
EUVDB-ID: #VU14496
Risk: High
CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-15909
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions and execute arbitrary system commands.
The vulnerability exists due to improper input validation when processing malformed PostScript, PDF, EPS, or XPS files. A remote attacker can supply a specially crafted file, bypass -dSAFER restrictions and execute arbitrary commands on vulnerable system.
Mitigation
Install updates from vendor's website.
Ivanti Connect Secure (formerly Pulse Connect Secure): 8.2R1 - 9.0R3.2
External linkshttp://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
