CVE-2019-11542
published 2019-04-26CVE-2019-11542: In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy…
PriorityP263high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
66.60%
99.2th percentile
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, an authenticated attacker (via the admin web interface) can send a specially crafted message resulting in a stack buffer overflow.
Affected
97 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
| pulsesecure | pulse_connect_secure | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploitation requires an authenticated attacker sending a specially crafted message via the admin web interface, so monitor for anomalous or unexpected POST/request activity to the Pulse Connect Secure / Pulse Policy Secure admin web interface from authenticated sessions ↗
- ·Affected Pulse Connect Secure versions: 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, 8.1RX before 8.1R15.1. Affected Pulse Policy Secure versions: 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, 5.1RX before 5.1R15.1. Ensure admin web interface access is restricted to trusted IPs only to reduce attack surface. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.0HIGHCVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ivanti
Ivanti Security Advisory: CVE-2019-11542
vendor_ivanti·2019-04-26·CVSS 7.2
CVE-2019-11542 [HIGH] CWE-787 Ivanti Security Advisory: CVE-2019-11542
Ivanti Security Advisory: CVE-2019-11542
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, an authenticated attacker (via the admin web interface) can send a specially crafted message resulting in a stack buffer overflow.
CVE IDs: CVE-2019-11542
CVSS Base Score: 7.2
Severity: HIGH
CWEs: CWE-787
GHSA
GHSA-2g59-pjjw-j55p: In Pulse Secure Pulse Connect Secure version 9
ghsa_unreviewed·2022-05-24
CVE-2019-11542 [HIGH] CWE-787 GHSA-2g59-pjjw-j55p: In Pulse Secure Pulse Connect Secure version 9
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, an authenticated attacker (via the admin web interface) can send a specially crafted message resulting in a stack buffer overflow.
No detection rules found.
No public exploits indexed.
HackerOne
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://██████ (███)
hackerone·2024-06-18·CVSS 7.2
CVE-2019-11510 [HIGH] Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://██████ (███)
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://██████ (███)
##Description
Hello. Some time ago, researcher Orange Tsai from DEVCORE team had a talk on Defcon/BlackHat regarding Pulse Secure SSL VPN vulnerabilities fixed on 2019/4/25:
**CVE-2019-11510 - Pre-auth Arbitrary File Reading**
CVE-2019-11542 - Post-auth Stack Buffer Overflow
**CVE-2019-11539 - Post-auth Command Injection**
CVE-2019-11538 - Post-auth Arbitrary File Reading
**CVE-2019-11508 - Post-auth Arbitrary File Writing**
CVE-2019-11540 - Post-auth Session Hijacking
Link to the slides: https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
I discovered that `https://██████████` instance is vulnerable to described vulnerabilities.
##POC
Reading `/etc/p
HackerOne
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://████
hackerone·2021-07-29·CVSS 7.2
CVE-2019-11510 [HIGH] Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://████
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://████
##Description
Hello. Some time ago, researcher Orange Tsai from DEVCORE team had a talk on Defcon/BlackHat regarding Pulse Secure SSL VPN vulnerabilities fixed on 2019/4/25:
**CVE-2019-11510 - Pre-auth Arbitrary File Reading**
CVE-2019-11542 - Post-auth Stack Buffer Overflow
**CVE-2019-11539 - Post-auth Command Injection**
CVE-2019-11538 - Post-auth Arbitrary File Reading
**CVE-2019-11508 - Post-auth Arbitrary File Writing**
CVE-2019-11540 - Post-auth Session Hijacking
Link to the slides: https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
I discovered that `https://██████████` instance is vulnerable to described vulnerabilities.
##POC
Reading `/etc/passwd` v
HackerOne
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://███
hackerone·2019-12-02·CVSS 7.2
CVE-2019-11510 [HIGH] Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://███
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://███
##Description
Hello. Some time ago, researcher Orange Tsai from DEVCORE team had a talk on Defcon/BlackHat regarding Pulse Secure SSL VPN vulnerabilities fixed on 2019/4/25:
**CVE-2019-11510 - Pre-auth Arbitrary File Reading**
CVE-2019-11542 - Post-auth Stack Buffer Overflow
**CVE-2019-11539 - Post-auth Command Injection**
CVE-2019-11538 - Post-auth Arbitrary File Reading
**CVE-2019-11508 - Post-auth Arbitrary File Writing**
CVE-2019-11540 - Post-auth Session Hijacking
Link to the slides: https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
I discovered that https://████ instance is vulnerable to described vulnerabilities.
##POC
Extracting `/etc/passwd` as examp
HackerOne
Potential pre-auth RCE on Twitter VPN
hackerone·2019-08-10·CVSS 7.2
[HIGH] Potential pre-auth RCE on Twitter VPN
Potential pre-auth RCE on Twitter VPN
Hi, we(Orange Tsai and Meh Chang) are the security research team from DEVCORE. Recently, we are doing a research about SSL VPN security, and found several critical vulnerabilities on Pulse Secure SSL VPN! We have reported to vendor and [patches](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101) have been released on `2019/4/25`. Since that, we keep monitoring numerous large corporations using Pulse Secure and we noticed that Twitter haven't patched the SSL VPN server over one month!
These vulnerabilities include a pre-auth file reading(CVSS 10) and a post-auth(admin) command injection(CVSS 8.0) which can be chained into a pre-auth RCE! Here are all vulnerabilities we found:
* CVE-2019-11510 - Pre-auth Arbitrary File Reading
* CV
Tenable
CVE-2019-11510: Proof of Concept Available for Arbitrary File Disclosure in Pulse Connect Secure
blogs_tenable·2019-08-21·CVSS 10.0
[CRITICAL] CVE-2019-11510: Proof of Concept Available for Arbitrary File Disclosure in Pulse Connect Secure
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://www.securityfocus.com/bid/108073https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdfhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010https://www.kb.cert.org/vuls/id/927237http://www.securityfocus.com/bid/108073https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdfhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010https://www.kb.cert.org/vuls/id/927237
2019-04-26
Published