GTconsult

Pulse VPN Critical Vulnerability, CVE-2019-11510.

03.09.19 05:08 PM Comment(s) By Jordan

The original article can be found here.

GTconsult has just become aware of another potential threat, CVE-2019-11510 that affects Pulse VPN, that clients need to be aware of.

CVE-2019-11510 Vulnerability.

The article points out that multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS).  This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform a remote arbitrary file access on the Pulse Connect Secure gateway.

The article adds that this advisory also includes a remote code execution vulnerability that can allow an authenticated administrator to perform remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways. Many of these vulnerabilities have a critical CVSS score and pose significant risk to your deployment. We strongly recommend to upgrade to the corresponding version with the fix as soon as possible.

Refer to KB43892 – What releases will Pulse Secure apply fixes to resolve security vulnerabilities? per our End of Engineering (EOE) and End of Life (EOL) policies.

Affected Versions.

  • Pulse Connect Secure 9.0R1 – 9.0R3.3
  • Pulse Connect Secure 8.3R1 – 8.3R7
  • Pulse Connect Secure 8.2R1 – 8.2R12
  • Pulse Connect Secure 8.1R1 – 8.1R15
  • Pulse Policy Secure 9.0R1 – 9.0R3.3
  • Pulse Policy Secure 5.4R1 – 5.4R7
  • Pulse Policy Secure 5.3R1 – 5.3R12
  • Pulse Policy Secure 5.2R1 – 5.2R12
  • Pulse Policy Secure 5.1R1 – 5.1R15

Not Affected.

  • Pulse Connect Secure 9.1R1 and above
  • Pulse Connect Secure 9.0R4 & 9.0R3.4
  • Pulse Connect Secure 8.3R7.1
  • Pulse Connect Secure 8.2R12.1
  • Pulse Connect Secure 8.1R15.1
  • Pulse Policy Secure 9.1R1 and above
  • Pulse Policy Secure 9.0R4 & 9.0R3.4
  • Pulse Policy Secure 5.4R7.1
  • Pulse Policy Secure 5.3R12.1
  • Pulse Policy Secure 5.2R12.1
  • Pulse Policy Secure 5.1R15.1

<table><tbody><tr><td width="156">CVE</td><td width="156">CVSS Score (V3)</td><td width="156">Summary</td><td width="156">Product Affected</td></tr><tr><td width="156">CVE-2019-11510</td><td width="156">10 Critical</td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H</td><td width="156">Unauthenticated remote attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability.</td><td width="156">Pulse Connect Secure:</td><td width="156"></td></tr><tr><td width="156">9.0RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.3RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.2RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">This versions are not impacted for this CVE:</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">9.1R1 and above</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.1RX and below</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVE-2019-11508</td><td width="156">9.9 Critical</td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</td><td width="156">A vulnerability in the Network File Share (NFS) of Pulse Connect Secure allows an authenticated end-user attacker to upload a malicious file to write arbitrary files to the local system.</td><td width="156">Pulse Connect Secure:</td><td width="156"></td></tr><tr><td width="156">9.0RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.3RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.2RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.1RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156"></td><td width="156">9.9 Critical</td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</td><td width="156">Multiple vulnerabilities are patched for Ghostscript.</td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVE-2018-16513</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVE-2018-18284</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVE-2018-15911</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVE-2018-15910</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVE-2018-15909</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVE-2018-16513</td><td width="156">Pulse Connect Secure:</td><td width="156"></td><td width="156"></td></tr><tr><td width="156">9.0RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.3RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.2RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVE-2019-11540</td><td width="156">8.3 High</td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H</td><td width="156">A vulnerability in the Pulse Secure could allow an unauthenticated, remote attacker to conduct a (end user) session hijacking attack.</td><td width="156">Pulse Connect Secure:</td><td width="156"></td></tr><tr><td width="156">9.0RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.3RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">Pulse Policy Secure:</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">9.0RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">5.4RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVE-2019-11543</td><td width="156">8.3 HIGH CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H</td><td width="156">A XSS issue found the admin web console. Pulse Secure Pulse Connect Secure (PCS) 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, and 5.2RX before 5.2R12.1.</td><td width="156">Pulse Connect Secure</td></tr><tr><td width="156">9.0RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.3RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.1RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">Pulse Policy Secure</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">9.0RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">5.4RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">5.2RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVE-2019-11541</td><td width="156">8.3 High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L</td><td width="156">Users using SAML authentication with Reuse Existing NC (Pulse) Session option may see authentication leaks.</td><td width="156">Pulse Connect Secure:</td></tr><tr><td width="156">9.0RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.3RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.2RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVE-2019-11542</td><td width="156">8.0 High</td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H</td><td width="156">Authenticated attacker via the admin web interface can send a specially crafted message resulting in a stack buffer overflow.</td><td width="156">Pulse Connect Secure:</td><td width="156"></td></tr><tr><td width="156">9.0RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.3RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.2RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.1RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">Pulse Policy Secure:</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">9.0RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">5.4RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">5.3RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">5.2RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">5.1RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVE-2019-11539</td><td width="156">8.0 High</td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H</td><td width="156">Authenticated attacker via the admin web interface allow attacker to inject and execute command injection</td><td width="156">Pulse Connect Secure:</td><td width="156"></td></tr><tr><td width="156">9.0RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.3RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.2RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.1RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">Pulse Policy Secure:</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">9.0RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">5.4RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">5.3RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">5.2RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">5.1RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVE-2019-11538</td><td width="156">7.7 High</td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N</td><td width="156">A vulnerability in the Network File Share (NFS) of Pulse Connect Secure could allow an authenticated end-user attacker to access the contents of arbitrary files on the local file system.</td><td width="156">Pulse Connect Secure:</td><td width="156"></td></tr><tr><td width="156">9.0RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.3RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.2RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.1RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVE-2019-11509</td><td width="156">6.4 Medium</td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVSS v3 AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H</td><td width="156">Authenticated attacker via the admin web interface can exploit this issue to execute arbitrary code on the Pulse Secure appliance.</td><td width="156">Pulse Connect Secure:</td><td width="156"></td></tr><tr><td width="156">9.0RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.3RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.2RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.1RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">Pulse Policy Secure:</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">9.0RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">5.4RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">5.3RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">5.2RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">5.1RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">CVE-2019-11507</td><td width="156">5.8 Medium CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L</td><td width="156">A XSS issue has been found in Pulse Secure Application Launcher page. Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1, and 9.0.x before 9.0R3.</td><td width="156">Pulse Connect Secure:</td></tr><tr><td width="156">9.0RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr><tr><td width="156">8.3RX</td><td width="156"></td><td width="156"></td><td width="156"></td></tr></tbody></table> 

Solution.

The article points out that the solution for these vulnerabilities is to upgrade your Pulse Connect Secure and Pulse Policy Secure server software version to the corresponding version that has the fix.

The following table provides guidance on the software you should deploy depending on current software version.

<table><tbody><tr><td width="208">If the PCS/PPS version is installed:</td><td width="208">Then deploy this version (or later)</td><td width="208"></td></tr><tr><td width="208">to resolve the issue:</td><td width="208">Expected Release</td><td width="208">Notes (if any)</td></tr><tr><td width="208">Pulse Connect Secure 9.0RX</td><td width="208"></td><td width="208"></td></tr><tr><td width="208">Pulse Connect Secure 9.0R3.4 & 9.0R4</td><td width="208">Available Now</td><td width="208"></td></tr><tr><td width="208">Pulse Connect Secure 8.3RX</td><td width="208">Pulse Connect Secure 8.3R7.1</td><td width="208">Available Now</td></tr><tr><td width="208">Pulse Connect Secure 8.2RX</td><td width="208">Pulse Connect Secure 8.2R12.1</td><td width="208">Available Now</td></tr><tr><td width="208">Pulse Connect Secure 8.1RX</td><td width="208">Pulse Connect Secure 8.1R15.1</td><td width="208">Available Now</td></tr><tr><td width="208">Pulse Policy Secure 9.0RX</td><td width="208">Pulse Policy Secure 9.0R3.2 & 9.0R4</td><td width="208">Available Now</td></tr><tr><td width="208">Pulse Policy Secure 5.4RX</td><td width="208">Pulse Policy Secure 5.4R7.1</td><td width="208">Available Now</td></tr><tr><td width="208">Pulse Policy Secure 5.3RX</td><td width="208">Pulse Policy Secure 5.3R12.1</td><td width="208">Available Now</td></tr><tr><td width="208">Pulse Policy Secure 5.2RX</td><td width="208">Pulse Policy Secure 5.2R12.1</td><td width="208">Available Now</td></tr><tr><td width="208">Pulse Policy Secure 5.1RX</td><td width="208">Pulse Policy Secure 5.1R15.1</td><td width="208">Available Now</td></tr></tbody></table>

Exploitation and Announcements.

The article points out that these vulnerabilities including CVE-2019-11510 described in this advisory was found and properly disclosed by security researchers on March 22, 2019.

The article adds that Pulse Secure PSIRT is aware of existence of exploit code that can demonstrate these vulnerabilities. Pulse Secure is strongly recommending to upgrade to the patched software as soon as possible.

Frequently Asked Questions (FAQ).

Question 1: Can I delay the upgrade and upgrade to the next major release instead?

Answer: No, Pulse Secure recommends to upgrade to the corresponding version with the fix as soon as possible.

***Question 2:***Where can I find and download the security patches for CVE-2019-11510 vulnerability?

Answer: All security patches are available from the Download Center at https://my.pulsesecure.net.  For instructions to download software, please refer to KB40028 – How to download software / firmware for Pulse Secure products using the Licensing & Download Center at my.pulsesecure.net

Question 3: Will the device reboot after upgrading to the fix version?

Answer: Yes, once you upgrade your device it will automatically get rebooted.

***Question 4:***Do I need to upgrade client components (including Pulse Desktop Client, Network Connect, WSAM, Terminal Services) on my Windows, Mac, Linux, Android, or IOS endpoints?

Answer: For Pulse Desktop Client or Pulse Mobile (for iOS and Android)

  • Upgrade of these client components are not required.

Note: Pulse Desktop Clients will upgrade on the end points if the PCS/PPS server side configuration is set to “Auto-Upgrade” with a higher Pulse Desktop Client package set to Active. To avoid upgrading the Pulse Desktop Client, please upload the equivalent Pulse Desktop Client version and mark as Active.

For WSAM, Network Connect, Host Checker, and Terminal Services customers

  • The client will be upgraded as part of the server upgrade. If client machines do not have administrator privileges, ensure Pulse Secure Installer Service is installed or have the required privileges/rights.

Question 5: How do I upgrade Pulse Connect Secure / Pulse Policy Secure to resolve this vulnerability?

Answer:  Download a fixed version of the Pulse Connect Secure or Pulse Policy Secure available from the Licensing & Download Center at https://my.pulsesecure.net.  For upgrade documentation, please refer to:

For additional FAQ and upgrade recommendations, refer to KB23051.

Question 6: Is there any workaround to fix this vulnerability temporarily?

Answer: No, there is no workaround. Pulse Secure is strongly recommending for administrator to upgrade their devices to fixed versions.

Question 7:  I do not have access to my.pulsesecure.net to download the recommended PCS/PPS version.

Answer: Please refer KB40031 to Onboarding at my.pulsesecure.net. If you face any issue, please contact Pulse Secure Global Support Center.

Question 8: Does Pulse Secure recommend to take any additional precautionary action after upgrading to the patched software?

Answer: As a precautionary measure, Pulse Secure recommends the following steps:

  1. Any end user and administrator passwords used to login to the device should be changed.
  2. Any service account passwords stored on the device (LDAP, RADIUS, AD, etc.) should be changed.
  3. Replace device certificates(s) by generating a new certificate signing request (CSR) on the device.

***Question 9:***After upgrading to the patched version, Qualys and Tenable is still showing the device as vulnerable?

Answer: Qualys and Tenable are parsing the version number and does not properly confirm the issue.  Pulse Secure is working with both vendors to properly detect the issue.  If the device is running a patched version, CVE-2019-11510 is no longer applicable.

We know that this might be difficult for you to do on your own. If you need any assistance fixing CVE-2019-11510 or any other issues, contact our A Team and let us enable secure productivity in your business.

Jordan

Categories -
Uncategorized
Share -
Tags -