CVE-2020-11581
published 2020-04-06CVE-2020-11581: An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients…
PriorityP353high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
9.84%
95.0th percentile
An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, allows a man-in-the-middle attacker to perform OS command injection attacks (against a client) via shell metacharacters to the doCustomRemediateInstructions method, because Runtime.getRuntime().exec() is used.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pulsesecure | pulse_connect_secure | <= 2020-04-06 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for OS command injection via shell metacharacters passed to the doCustomRemediateInstructions method in tncc.jar on macOS, Linux, and Solaris Pulse Secure clients; the vulnerable code path uses Runtime.getRuntime().exec(). ↗
- →The related CVE-2020-11582 shows that tncc.jar launches a TCP server accepting local connections on a random port; a setcookie command accepted by this server may be leveraged as part of CVE-2020-11581 exploitation — monitor for unexpected local TCP listeners spawned by the tncc.jar process and anomalous 'setcookie' commands sent to them. ↗
- →Exploitation requires a man-in-the-middle position against the Pulse Secure Host Checker policy enforcement flow; detect anomalous TLS/TCP interception targeting Pulse Connect Secure client communications on macOS, Linux, and Solaris endpoints. ↗
- ·The vulnerability affects Pulse Connect Secure (PCS) clients through 2020-04-06; only macOS, Linux, and Solaris clients running the tncc.jar Host Checker applet are affected — Windows clients are not in scope. ↗
- ·The TCP server spawned by tncc.jar (CVE-2020-11582) binds to a random local port, making static port-based detection unreliable; process-based monitoring of tncc.jar network activity is required. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7xjp-88f4-r966: An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06
ghsa_unreviewed·2022-05-24
CVE-2020-11581 [HIGH] CWE-78 GHSA-7xjp-88f4-r966: An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06
An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, allows a man-in-the-middle attacker to perform OS command injection attacks (against a client) via shell metacharacters to the doCustomRemediateInstructions method, because Runtime.getRuntime().exec() is used.
GHSA
GHSA-7mjm-6675-w446: An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06
ghsa_unreviewed·2022-05-24·CVSS 8.1
CVE-2020-11582 [HIGH] CWE-307 GHSA-7mjm-6675-w446: An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06
An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, launches a TCP server that accepts local connections on a random port. This can be reached by local HTTP clients, because up to 25 invalid lines are ignored, and because DNS rebinding can occur. (This server accepts, for example, a setcookie command that might be relevant to CVE-2020-11581 exploitation.)
Ivanti
Ivanti Security Advisory: CVE-2020-11582
vendor_ivanti·2020-04-06·CVSS 8.8
CVE-2020-11582 [HIGH] CWE-668 Ivanti Security Advisory: CVE-2020-11582
Ivanti Security Advisory: CVE-2020-11582
An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, launches a TCP server that accepts local connections on a random port. This can be reached by local HTTP clients, because up to 25 invalid lines are ignored, and because DNS rebinding can occur. (This server accepts, for example, a setcookie command that might be relevant to CVE-2020-11581 exploitation.)
CVE IDs: CVE-2020-11582
CVSS Base Score: 8.8
Severity: HIGH
CWEs: CWE-668
Ivanti
Ivanti Security Advisory: CVE-2020-11581
vendor_ivanti·2020-04-06·CVSS 8.1
CVE-2020-11581 [HIGH] CWE-78 Ivanti Security Advisory: CVE-2020-11581
Ivanti Security Advisory: CVE-2020-11581
An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, allows a man-in-the-middle attacker to perform OS command injection attacks (against a client) via shell metacharacters to the doCustomRemediateInstructions method, because Runtime.getRuntime().exec() is used.
CVE IDs: CVE-2020-11581
CVSS Base Score: 8.1
Severity: HIGH
CWEs: CWE-78
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-04-06
Published