AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability

["US-CERT" <US-CERT () ncas us-cert gov>]

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:



AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability [ https://www.us-cert.gov/ncas/alerts/aa20-010a ] 
01/10/2020 06:45 AM EST 
Original release date: January 10, 2020

Summary

Unpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations 
that have not applied the software patch to fix a remote code execution (RCE) vulnerability, known as CVE-2019-11510, 
can become compromised in an attack. [1] [ https://nvd.nist.gov/vuln/detail/CVE-2019-11510 ]

Although Pulse Secure [2] [ https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/ ] disclosed the 
vulnerability and provided software patches for the various affected products in April 2019, the Cybersecurity and 
Infrastructure Security Agency (CISA) continues to observe wide exploitation of CVE-2019-11510. [3] [ 
https://www.kb.cert.org/vuls/id/927237/ ] [4] [ 
https://www.us-cert.gov/ncas/current-activity/2019/07/26/vulnerabilities-multiple-vpn-applications ] [5] [ 
https://www.us-cert.gov/ncas/current-activity/2019/10/16/multiple-vulnerabilities-pulse-secure-vpn ]

CISA expects to see continued attacks exploiting unpatched Pulse Secure VPN environments and strongly urges users and 
administrators to upgrade to the corresponding fixes. [6] [ 
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/ ]

Timelines of Specific Events

  * April 24, 2019  Pulse Secure releases initial advisory and software updates addressing multiple vulnerabilities. 
  * May 28, 2019  Large commercial vendors get reports of vulnerable VPN through HackerOne. 
  * July 31, 2019  Full RCE use of exploit demonstrated using the admin session hash to get complete shell. 
  * August 8, 2019  Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors (Pulse Secure) with 
detailed attack on active VPN exploitation. 
  * August 24, 2019  Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of 
an upgrade. 
  * October 7, 2019  The National Security Agency (NSA) produces a Cybersecurity Advisory on Pulse Secure and other VPN 
products being targeted actively by advanced persistent threat actors. 
  * October 16, 2019  The CERT Coordination Center (CERT/CC) releases Vulnerability Note VU#927237: Pulse Secure VPN 
contains multiple vulnerabilities. 
  * January 2020  Media reports cybercriminals now targeting unpatched Pulse Secure VPN servers to install REvil 
(Sodinokibi) ransomware.  

Technical Details

Impact

A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain 
access to all active users and their plain-text credentials. It may also be possible for the attacker to execute 
arbitrary commands on each VPN client as it successfully connects to the VPN server.

Affected versions:


  * Pulse Connect Secure 9.0R1 - 9.0R3.3 
  * Pulse Connect Secure 8.3R1 - 8.3R7 
  * Pulse Connect Secure 8.2R1 - 8.2R12 
  * Pulse Connect Secure 8.1R1 - 8.1R15 
  * Pulse Policy Secure 9.0R1 - 9.0R3.1 
  * Pulse Policy Secure 5.4R1 - 5.4R7 
  * Pulse Policy Secure 5.3R1 - 5.3R12 
  * Pulse Policy Secure 5.2R1 - 5.2R12 
  * Pulse Policy Secure 5.1R1 - 5.1R15 

Mitigations

This vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing 
required system updates.

CISA strongly urges users and administrators to upgrade to the corresponding fixes. [7] [ 
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/ ]

References

  * [1] NIST NVD CVE-2019-11510  [ https://nvd.nist.gov/vuln/detail/CVE-2019-11510 ] 
  * [2] Pulse Secure Advisory SA44101 [ https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/ ] 
  * [3] CERT/CC Vulnerability Note VU#927237 [ https://www.kb.cert.org/vuls/id/927237/ ] 
  * [4] CISA Current Activity Vulnerabilities in Multiple VPN Applications  [ 
https://www.us-cert.gov/ncas/current-activity/2019/07/26/vulnerabilities-multiple-vpn-applications ] 
  * [5] CISA Current Activity Multiple Vulnerabilities in Pulse Secure VPN [ 
https://www.us-cert.gov/ncas/current-activity/2019/10/16/multiple-vulnerabilities-pulse-secure-vpn ] 
  * [6] Pulse Secure Advisory SA44101 [ https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/ ] 
  * [7] Pulse Secure Advisory SA44101 [ https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/ ] 

Revisions

  * January 10, 2020: Initial Version 
________________________________________________________________________

This product is provided subject to this Notification [ https://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ https://www.dhs.gov/privacy-policy ] policy.

body { font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight: normal; font-style: normal; color: 
#333333; } ________________________________________________________________________

A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have 
questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a 
notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () 
ncas us-cert gov to your address book. 

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ]  

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]