Blog Post

Pulse VPN Vulnerability Analysis (CVE-2019-11510)

Executive Summary

On April 24th 2019, PulseSecure published SA44101 advisory reporting multiple vulnerabilities in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS) applications. These vulnerabilities include authentication bypass ( CVE-2019-11510 ) that can allow an unauthenticated attacker to perform arbitrary file access and an authenticated administrator can perform remote code execution ( CVE-2019-11508 ). Some of these reported vulnerabilities have a CVSS score of more than 9, marked as critical, and may pose a significant risk to the environment using these applications.

On January 10th 2020, Cyber Infrastructure (CISA) division of Department of Homeland Security (DHS) issued Alert (AA20-010A) reporting widespread exploitation activity and urging organizations to update Pulse Secure applications immediately.

Technical Detail

PulseSecure applications Pulse Connect Secure (PCS) is vulnerable to a Directory Traversal attack that can be exploited by an attacker to access files and directories outside of the web folder.

The Awake Threat Research team is noticing an uptick in activity related to CVE-2019-11510 as attackers attempt to scan and enumerate vulnerable servers. For instance, here is a recent example:

Figure 1: Awake detecting PulseSecure Directory Traversal attack

To exploit this directory traversal vulnerability we noticed scan activity with clear attempts at file references using dot-dot-slash. We have observed CVE-2019-11510 exploited to access configuration or other critical files in other directories. For instance, we see an attempt to access private keys and user passwords in figure 2.

Figure 2: Directory path traversal seen in scanning activity

Exploitability

CVE-2019-11510 severely impacts Pulse Secure Connect that provides access from any authorized device to business applications and services hosted in cloud and data centers. As one of the market leaders in providing secure access, per the vendor, they are implemented across 80% of the Fortune 500 and used by 20 million endpoints. As VPN gateways, such applications are typically installed at the perimeter of the organizations’ network and are therefore directly accessible from the internet and wide open to this type of exploitation. Given the associated risk, CVE-2019-11510 has been assigned a maximum CVSS risk score of 10.0 Critical.

Searching Shodan, the Awake Threat Research team was able to discover approximately twenty-four thousand internet-accessible Pulse Secure servers.

Figure 3: Shodan results for internet accessible Pulse Secure servers.

Arbitrary File Access & Credential Stealing

As of January 13th 2020, there are eleven Github projects referencing CVE-2019-11510 and some with exploit code for this vulnerability to read sensitive files and steal credentials from the vulnerable servers.

In general, most projects execute in a two-step process. For example, at the time, the most popular Github project exploiting this vulnerability first scans for vulnerable Pulse Secure servers using directory traversal and downloading /etc/passwd file:

curl --path-as-is -s -k "$URL/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/" > c.txt

Figure 4: Directory traversal exploited to download /etc/passwd from a vulnerable PulseSecure server

If the responding PulseSecure server is found to be vulnerable, the directory traversal vulnerability is then again used to download the “/runtime/mtmp/lmdb/dataa/data.mdb” database file and extract username and password.

curl --path-as-is -s -k "$URL/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/"

Figure 5: Directory traversal exploited to download a database file with usernames and passwords

Recommendation

As explained in technical details, exploiting Pulse Secure Gateways vulnerable to CVE-2019-11510 is trivial and current scanning activity indicates that attackers are actively pursuing this.

As mentioned in Pulse Secure advisory SA44101 released on April 24th 2019, the vendor has released an upgraded version of both Pulse Content Secure and Pulse Policy Secure. We recommend organizations immediately deploy the most recent software version to protect themselves as well as follow other guidance provided in the CISA.

Param Singh
Param Singh

VP, Threat Research