Executive Summary
CVE-2019-11510 is a critical vulnerability in Pulse Secure's Pulse Connect Secure (PCS) VPN appliances. This vulnerability allows an unauthenticated remote attacker to read arbitrary files, including sensitive configuration files, by sending a specially crafted URI. The vulnerability affects multiple versions of Pulse Connect Secure, specifically versions before 8.2R12.1, 8.3R7.1, and 9.0R3.4. This report provides a comprehensive analysis of CVE-2019-11510, including details about the vulnerability, exploitation in the wild, mitigation strategies, and references to relevant sources.
Technical Information
CVE-2019-11510 is a critical vulnerability identified in Pulse Secure's Pulse Connect Secure (PCS) VPN appliances. The vulnerability allows an unauthenticated remote attacker to read arbitrary files on the VPN appliance by sending a specially crafted URI. This can include sensitive configuration files, which may contain credentials and other critical information. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')) and has a CVSS v3.1 Base Score of 10.0, indicating its critical nature.
The vulnerability exists due to improper handling of URL paths in the web interface of the Pulse Connect Secure appliance. An attacker can exploit this vulnerability by crafting a specific URL that bypasses the normal access controls and allows access to files that should be restricted. This can lead to the exposure of sensitive information, including VPN session tokens and credentials, which can be used for further attacks.
The affected versions of Pulse Connect Secure are: - Pulse Connect Secure (PCS) 8.2 before 8.2R12.1 - Pulse Connect Secure (PCS) 8.3 before 8.3R7.1 - Pulse Connect Secure (PCS) 9.0 before 9.0R3.4
Exploitation in the Wild
CVE-2019-11510 has been actively exploited in the wild. Attackers have used this vulnerability to gain unauthorized access to sensitive information, including VPN session tokens and credentials. This has led to further exploitation, including the deployment of ransomware and other malicious activities.
Notable exploits and attacks include: 1. APT Groups: Various Advanced Persistent Threat (APT) groups have been observed exploiting this vulnerability to gain initial access to target networks. 2. Ransomware Deployment: Attackers have used the information obtained through this vulnerability to deploy ransomware, such as REvil and Sodinokibi. 3. Credential Theft: Exploitation of this vulnerability has led to the theft of credentials, which are then used for lateral movement within the compromised network.
APT Groups using this vulnerability
Various APT groups have been observed exploiting CVE-2019-11510. Notably, APT29 and APT41 have been linked to attacks leveraging this vulnerability. These groups have targeted sectors including government, healthcare, and finance across multiple countries. The exploitation by these groups underscores the critical nature of this vulnerability and the importance of timely mitigation.
Affected Product Versions
The following versions of Pulse Connect Secure are affected by CVE-2019-11510: - Pulse Connect Secure (PCS) 8.2 before 8.2R12.1 - Pulse Connect Secure (PCS) 8.3 before 8.3R7.1 - Pulse Connect Secure (PCS) 9.0 before 9.0R3.4
Workaround and Mitigation
To mitigate the risks associated with CVE-2019-11510, organizations should implement the following strategies:
- Patch and Update: The primary mitigation strategy is to apply the patches provided by Pulse Secure. Ensure that Pulse Connect Secure is updated to versions 8.2R12.1, 8.3R7.1, or 9.0R3.4 and later.
- Network Segmentation: Implement network segmentation to limit the exposure of VPN appliances to the internet.
- Monitor and Detect: Continuously monitor network traffic for signs of exploitation and use intrusion detection systems (IDS) to detect suspicious activities.
References
For further reading and technical details, please refer to the following sources: - CISA: Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) - Packet Storm Security: Pulse Secure SSL VPN 8.1R15.1-8.2-8.3-9.0 Arbitrary File Disclosure (http://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html) - GitHub: BishopFox/pwn-pulse (https://github.com/BishopFox/pwn-pulse) - GitHub: aqhmal/pulsexploit (https://github.com/aqhmal/pulsexploit) - GitHub: cisagov/check-your-pulse (https://github.com/cisagov/check-your-pulse) - GitHub: es0/CVE-2019-11510_poc (https://github.com/es0/CVE-2019-11510_poc) - GitHub: imjdl/CVE-2019-11510-poc (https://github.com/imjdl/CVE-2019-11510-poc) - GitHub: jas502n/CVE-2019-11510-1 (https://github.com/jas502n/CVE-2019-11510-1) - GitHub: projectzeroindia/CVE-2019-11510 (https://github.com/projectzeroindia/CVE-2019-11510) - GitHub: r00tpgp/http-pulse_ssl_vpn.nse (https://github.com/r00tpgp/http-pulse_ssl_vpn.nse) - GitHub: rapid7/metasploit-framework (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/pulse_secure_file_disclosure.rb)
Rescana is here for you
At Rescana, we understand the critical importance of protecting your organization from vulnerabilities like CVE-2019-11510. Our Continuous Threat and Exposure Management (CTEM) platform helps you stay ahead of potential threats by providing real-time monitoring, threat intelligence, and automated response capabilities. We are committed to helping you secure your network and protect your sensitive data.
For further assistance or inquiries, please contact Rescana's cybersecurity team at ops@rescana.com.
Comments