SB2019042508 - Multiple vulnerabilities in Pulse Connect Secure and Pulse Policy Secure
Published: April 25, 2019 Updated: February 23, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 15 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2019-11510)
The vulnerability allows a remote attacker to read arbitrary files on the system.
The vulnerability exists due to input validation error when processing HTTP requests in Pulse Connect Secure. A remote non-authenticated attacker can send a specially crafted HTTP request and read contents of arbitrary files on the system.
2) Path traversal (CVE-ID: CVE-2019-11508)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing file uploads within Network File Share (NFS) feature of Pulse Connect Secure. A remote authenticated user can can send a specially crafted HTTP request and upload dangerous files to arbitrary locations on the system.
3) Session Fixation (CVE-ID: CVE-2019-11540)
The vulnerability allows a remote attacker to hijack users' sessions.
The vulnerability exists due to insufficient session validation in Pulse Connect Secure and Pulse Policy Secure. A remote attacker can can conduct a session hijacking attack.
4) Cross-site scripting (CVE-ID: CVE-2019-11543)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
5) Information disclosure (CVE-ID: CVE-2019-11541)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to information leak, when SAML authentication with the Reuse Existing NC (Pulse) Session option is used. A remote attacker can gain unauthorized access to sensitive information on the system.
6) Stack-based buffer overflow (CVE-ID: CVE-2019-11542)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Pulse Connect Secure and Pulse Policy Secure. A remote authenticated authenticated user (via the admin web interface) can send specially crafted message, trigger a stack-based buffer overflow and execute arbitrary code on the system.
7) OS Command Injection (CVE-ID: CVE-2019-11539)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in admin web interface of Pulse Connect Secure and Pulse Policy Secure. A remote authenticated user can execute arbitrary OS commands.
8) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-11538)
The vulnerability allows a remote attacker to gain access to sensitive information on the system.
The vulnerability exists due to improper privilege management in NFS functionality. A remote authenticated user can view contents of arbitrary files on the system.
9) Improper access control (CVE-ID: CVE-2019-11509)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions within the admin web interface in Pulse Connect Secure and Pulse Policy Secure. A remote authenticated user can bypass implemented security restrictions and execute arbitrary system commands on the appliance.
10) Cross-site scripting (CVE-ID: CVE-2019-11507)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data on the Application Launcher page. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
11) Type confusion (CVE-ID: CVE-2018-16513)
The vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.
The vulnerability exists due to a type confusion condition in the setcolor function. A remote unauthenticated attacker can trick the victim into opening a specially crafted PostScript file that submits malicious input and cause the affected software to crash or execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
12) Code injection (CVE-ID: CVE-2018-18284)
The vulnerability allows a remote attacker to bypass the sandbox protection mechanism on the target system.
The vulnerability exists due to the failure of the sandbox protection mechanism of the affected software when the 1Policy operator is used. A remote unauthenticated attacker can trick the victim into accessing a PostScript file that submits malicious input, bypass the sandbox protection mechanism and modify or replace error handlers used by the software, which the attacker could use to inject and execute arbitrary code on the system.
13) Improper input validation (CVE-ID: CVE-2018-15911)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the bypass of the -dSAFER option. A remote unauthenticated attacker can submit a specially crafted PostScript file, cause uninitialized memory access in the aesdecode operator and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
14) Type confusion (CVE-ID: CVE-2018-15910)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the bypass of the -dSAFER option. A remote unauthenticated attacker can submit a specially crafted PostScript file, trigger type confusion in LockDistillerParams parameter and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
15) Improper input validation (CVE-ID: CVE-2018-15909)
The vulnerability allows a remote attacker to bypass implemented security restrictions and execute arbitrary system commands.
The vulnerability exists due to improper input validation when processing malformed PostScript, PDF, EPS, or XPS files. A remote attacker can supply a specially crafted file, bypass -dSAFER restrictions and execute arbitrary commands on vulnerable system.
Remediation
Install update from vendor's website.
References
- http://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html
- http://packetstormsecurity.com/files/154231/Pulse-Secure-SSL-VPN-File-Disclosure-NSE.html
- http://www.securityfocus.com/bid/108073
- https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/
- https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/
- https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
- https://kb.pulsesecure.net/?atype=sa
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
- https://lists.apache.org/thread.html/ff5fa1837b6bd1b24d18a42faa75e165a4573dbe2d434910c15fd08a@%3Cuser.guacamole.apache.org%3E
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
- https://www.kb.cert.org/vuls/id/927237