CVE-2019-11540
published 2019-04-26CVE-2019-11540: In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4 and 8.3RX before 8.3R7.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2 and 5.4RX…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
8.26%
94.2th percentile
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4 and 8.3RX before 8.3R7.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2 and 5.4RX before 5.4R7.1, an unauthenticated, remote attacker can conduct a session hijacking attack.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target products: Pulse Connect Secure 9.0RX before 9.0R3.4 and 8.3RX before 8.3R7.1; Pulse Policy Secure 9.0RX before 9.0R3.2 and 5.4RX before 5.4R7.1 — unauthenticated remote session hijacking attack vector ↗
- ·Affected versions are Pulse Connect Secure 9.0RX < 9.0R3.4 and 8.3RX < 8.3R7.1, and Pulse Policy Secure 9.0RX < 9.0R3.2 and 5.4RX < 5.4R7.1; no patch version details beyond these ranges are provided in the source ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.3HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rp2c-496x-gf5c: In Pulse Secure Pulse Connect Secure version 9
ghsa_unreviewed·2022-05-24
CVE-2019-11540 [CRITICAL] GHSA-rp2c-496x-gf5c: In Pulse Secure Pulse Connect Secure version 9
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4 and 8.3RX before 8.3R7.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2 and 5.4RX before 5.4R7.1, an unauthenticated, remote attacker can conduct a session hijacking attack.
Ivanti
Ivanti Security Advisory: CVE-2019-11540
vendor_ivanti·2019-04-26·CVSS 9.8
CVE-2019-11540 [CRITICAL] Ivanti Security Advisory: CVE-2019-11540
Ivanti Security Advisory: CVE-2019-11540
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4 and 8.3RX before 8.3R7.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2 and 5.4RX before 5.4R7.1, an unauthenticated, remote attacker can conduct a session hijacking attack.
CVE IDs: CVE-2019-11540
CVSS Base Score: 9.8
Severity: CRITICAL
No detection rules found.
No public exploits indexed.
HackerOne
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://██████ (███)
hackerone·2024-06-18·CVSS 7.2
CVE-2019-11510 [HIGH] Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://██████ (███)
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://██████ (███)
##Description
Hello. Some time ago, researcher Orange Tsai from DEVCORE team had a talk on Defcon/BlackHat regarding Pulse Secure SSL VPN vulnerabilities fixed on 2019/4/25:
**CVE-2019-11510 - Pre-auth Arbitrary File Reading**
CVE-2019-11542 - Post-auth Stack Buffer Overflow
**CVE-2019-11539 - Post-auth Command Injection**
CVE-2019-11538 - Post-auth Arbitrary File Reading
**CVE-2019-11508 - Post-auth Arbitrary File Writing**
CVE-2019-11540 - Post-auth Session Hijacking
Link to the slides: https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
I discovered that `https://██████████` instance is vulnerable to described vulnerabilities.
##POC
Reading `/etc/p
HackerOne
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://████
hackerone·2021-07-29·CVSS 7.2
CVE-2019-11510 [HIGH] Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://████
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://████
##Description
Hello. Some time ago, researcher Orange Tsai from DEVCORE team had a talk on Defcon/BlackHat regarding Pulse Secure SSL VPN vulnerabilities fixed on 2019/4/25:
**CVE-2019-11510 - Pre-auth Arbitrary File Reading**
CVE-2019-11542 - Post-auth Stack Buffer Overflow
**CVE-2019-11539 - Post-auth Command Injection**
CVE-2019-11538 - Post-auth Arbitrary File Reading
**CVE-2019-11508 - Post-auth Arbitrary File Writing**
CVE-2019-11540 - Post-auth Session Hijacking
Link to the slides: https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
I discovered that `https://██████████` instance is vulnerable to described vulnerabilities.
##POC
Reading `/etc/passwd` v
HackerOne
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://███
hackerone·2019-12-02·CVSS 7.2
CVE-2019-11510 [HIGH] Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://███
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://███
##Description
Hello. Some time ago, researcher Orange Tsai from DEVCORE team had a talk on Defcon/BlackHat regarding Pulse Secure SSL VPN vulnerabilities fixed on 2019/4/25:
**CVE-2019-11510 - Pre-auth Arbitrary File Reading**
CVE-2019-11542 - Post-auth Stack Buffer Overflow
**CVE-2019-11539 - Post-auth Command Injection**
CVE-2019-11538 - Post-auth Arbitrary File Reading
**CVE-2019-11508 - Post-auth Arbitrary File Writing**
CVE-2019-11540 - Post-auth Session Hijacking
Link to the slides: https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
I discovered that https://████ instance is vulnerable to described vulnerabilities.
##POC
Extracting `/etc/passwd` as examp
HackerOne
Potential pre-auth RCE on Twitter VPN
hackerone·2019-08-10·CVSS 7.2
[HIGH] Potential pre-auth RCE on Twitter VPN
Potential pre-auth RCE on Twitter VPN
Hi, we(Orange Tsai and Meh Chang) are the security research team from DEVCORE. Recently, we are doing a research about SSL VPN security, and found several critical vulnerabilities on Pulse Secure SSL VPN! We have reported to vendor and [patches](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101) have been released on `2019/4/25`. Since that, we keep monitoring numerous large corporations using Pulse Secure and we noticed that Twitter haven't patched the SSL VPN server over one month!
These vulnerabilities include a pre-auth file reading(CVSS 10) and a post-auth(admin) command injection(CVSS 8.0) which can be chained into a pre-auth RCE! Here are all vulnerabilities we found:
* CVE-2019-11510 - Pre-auth Arbitrary File Reading
* CV
Tenable
CVE-2019-11510: Proof of Concept Available for Arbitrary File Disclosure in Pulse Connect Secure
blogs_tenable·2019-08-21·CVSS 10.0
[CRITICAL] CVE-2019-11510: Proof of Concept Available for Arbitrary File Disclosure in Pulse Connect Secure
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://www.securityfocus.com/bid/108073https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdfhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010https://www.kb.cert.org/vuls/id/927237http://www.securityfocus.com/bid/108073https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdfhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010https://www.kb.cert.org/vuls/id/927237
2019-04-26
Published