Summary
Unpatched Pulse Secure VPN servers continue to be an attractive target for bad actors. Affected organizations that have not applied the hotfix to address an arbitrary file reading vulnerability, known as CVE-2019-11510, may be compromised in an attack.[[[[1]
Although Pulse Secure [2] disclosed the vulnerability and provided software fixes for the various affected products in April 2019, the Cybersecurity and Infrastructure Security Agency (CISA) continues to observe widespread exploitation of CVE-2019-11510.[[[[3],[4],[5]
CISA expects to see continued attacks exploiting unpatched Pulse Secure VPN environments and strongly urges users and administrators to upgrade to corresponding patches.[2]
Timeline of specific events
- April 24, 2019 – Pulse Secure releases initial guidance and software updates addressing several vulnerabilities.
- May 28, 2019 – Large commercial providers receive reports of vulnerable VPNs via HackerOne.
- July 31, 2019 – Full use of exploit demonstrated using admin session hash to achieve full shell.
- August 8, 2019 – Meh Chang and Orange Tsai demonstrate VPN issues across multiple providers (Pulse Secure) with a detailed attack on active VPN exploitation.
- August 24, 2019 – Bad Packets identifies over 14,500 vulnerable VPN servers worldwide that remain unpatched and require upgrading.
- October 7, 2019 – The National Security Agency (NSA) issues a cybersecurity advisory on Pulse Secure and other VPN products actively targeted by advanced persistent threat actors.
- October 16, 2019 – The CERT Coordination Center (CERT/CC) publishes Vulnerability Note VU#927237: Pulse Secure VPN contains multiple vulnerabilities.
- January 2020 – Media reports that cybercriminals are now targeting unpatched Pulse Secure VPN servers to install REvil (Sodinokibi) ransomware.
Technical details
Impact
An unauthenticated remote attacker may be able to compromise a vulnerable VPN server. The attacker may be able to access all active users and their credentials in plain text. It may also be possible for the attacker to execute arbitrary commands on each VPN client when it successfully connects to the VPN server.
Affected versions:
- Secure Pulse Connect 9.0R1 – 9.0R3.3
- Secure Pulse Connect 8.3R1 – 8.3R7
- Secure Pulse Connect 8.2R1 – 8.2R12
- Secure Pulse Connect 8.1R1 – 8.1R15
- Secure Impulse Policy 9.0R1 – 9.0R3.1
- Secure Impulse Policy 5.4R1 – 5.4R7
- Secure Impulse Policy 5.3R1 – 5.3R12
- Secure Impulse Policy 5.2R1 – 5.2R12
- Secure Impulse Policy 5.1R1 – 5.1R15
Mitigations
This vulnerability has no viable workaround other than applying vendor-provided patches and performing required system updates.
CISA strongly urges users and administrators to upgrade to the corresponding patches.[2]
January 10, 2020: Initial release
April 15, 2020: Revised to correct the vulnerability type.
