cbcvebase.
CVE-2019-11539
published 2019-04-26

CVE-2019-11539: In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy…

PriorityP187high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
98.62%
99.9th percentile
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.

Affected

72 ranges· showing 25
VendorProductVersion rangeFixed in
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivantipolicy_secure
ivantipulse_connect_secure
pulsesecurepulse_policy_secure
pulsesecurepulse_policy_secure
pulsesecurepulse_policy_secure
pulsesecurepulse_policy_secure
pulsesecurepulse_policy_secure
pulsesecurepulse_policy_secure
pulsesecurepulse_policy_secure
pulsesecurepulse_policy_secure
pulsesecurepulse_policy_secure
pulsesecurepulse_policy_secure
pulsesecurepulse_policy_secure
pulsesecurepulse_policy_secure
pulsesecurepulse_policy_secure
pulsesecurepulse_policy_secure
pulsesecurepulse_policy_secure
pulsesecurepulse_policy_secure
pulsesecurepulse_policy_secure
pulsesecurepulse_policy_secure
pulsesecurepulse_policy_secure

Detection & IOCsextracted from sources · hover to see the quote

path/dana-admin/diag/diag.cgi
path/dana-na/auth/setcookie.cgi
path/dana-na/auth/url_admin/login.cgi
path/data/runtime/tmp/tt/setcookie.thtml.ttc
command-r$x="<cmd>",system$x# 2>/data/runtime/tmp/tt/setcookie.thtml.ttc <
command-r$x="<cmd>",system$x# 2>/data/runtime/tmp/tt/setcookie.thtml.ttc <
path/dana-admin/diag/diag.cgi
path/dana-na/auth/setcookie.cgi
cookieDSID=<session_id>
port443
otherxsauth=<hex_token>
  • Exploit sends a GET request to /dana-admin/diag/diag.cgi with parameter 'a=td' (tcpdump action) and an 'options' parameter containing the Perl injection payload '-r$x="<cmd>",system$x#' to overwrite /data/runtime/tmp/tt/setcookie.thtml.ttc, then triggers execution via a second GET to /dana-na/auth/setcookie.cgi.
  • The injection payload uses Perl syntax: -r$x="<command>",system$x# to inject arbitrary OS commands via the tcpdump 'options' parameter. Detect GET requests to /dana-admin/diag/diag.cgi containing 'system' and '$x' in the 'options' query parameter.
  • The exploit uses 'env' to bypass application whitelisting before the injected command. Look for 'env ' prepended to commands in the options parameter.
  • The exploit requires a valid admin DSID session cookie. Monitor for DSID cookie usage against /dana-admin/ paths from unexpected source IPs, especially combined with requests to diag.cgi.
  • Post-exploitation: attacker downloads files using /home/bin/curl (not in $PATH by default) and modifies /etc/cloud_sshd_config and /.ssh/authorized_keys to establish persistent SSH root access on port 6667.
  • The CSRF token 'xsauth' is extracted from the diag.cgi page body via regex scan for /xsauth=([[:xdigit:]]+)/. Monitor for rapid sequential GET then GET patterns to diag.cgi followed by setcookie.cgi.
  • Google dork for exposed vulnerable endpoints: inurl:/dana-na/ filetype:cgi
  • CVE-2019-11539 is known to be used in ransomware campaigns and is listed in the CISA Known Exploited Vulnerabilities catalog. Prioritize detection and patching accordingly.
  • ·The exploit payload has bad characters that must be avoided: &*(){}[]`;|?\n~<>"'. The Metasploit module forces manual bad-character analysis with 'generic/none' encoder for the Unix In-Memory target.
  • ·The CTF writeup demonstrates that \x2a (ASCII '*') can be used as a wildcard substitute for '$' in the payload to bypass certain character filters, and Unicode line terminators (U+2028 LINE SEPARATOR) can replace filtered \n/\r.
  • ·Affected versions: Pulse Connect Secure 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, 8.1RX before 8.1R15.1; Pulse Policy Secure 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, 5.1RX before 5.1R15.1.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.0HIGHCVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.