cbcvebase.
CVE-2020-11581
published 2020-04-06

CVE-2020-11581: An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients…

PriorityP353high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
9.84%
95.0th percentile
An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, allows a man-in-the-middle attacker to perform OS command injection attacks (against a client) via shell metacharacters to the doCustomRemediateInstructions method, because Runtime.getRuntime().exec() is used.

Affected

1 ranges
VendorProductVersion rangeFixed in
pulsesecurepulse_connect_secure<= 2020-04-06

Detection & IOCsextracted from sources · hover to see the quote

filenametncc.jar
  • Monitor for OS command injection via shell metacharacters passed to the doCustomRemediateInstructions method in tncc.jar on macOS, Linux, and Solaris Pulse Secure clients; the vulnerable code path uses Runtime.getRuntime().exec().
  • The related CVE-2020-11582 shows that tncc.jar launches a TCP server accepting local connections on a random port; a setcookie command accepted by this server may be leveraged as part of CVE-2020-11581 exploitation — monitor for unexpected local TCP listeners spawned by the tncc.jar process and anomalous 'setcookie' commands sent to them.
  • Exploitation requires a man-in-the-middle position against the Pulse Secure Host Checker policy enforcement flow; detect anomalous TLS/TCP interception targeting Pulse Connect Secure client communications on macOS, Linux, and Solaris endpoints.
  • ·The vulnerability affects Pulse Connect Secure (PCS) clients through 2020-04-06; only macOS, Linux, and Solaris clients running the tncc.jar Host Checker applet are affected — Windows clients are not in scope.
  • ·The TCP server spawned by tncc.jar (CVE-2020-11582) binds to a random local port, making static port-based detection unreliable; process-based monitoring of tncc.jar network activity is required.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.