cbcvebase.
CVE-2020-8218
published 2020-07-30

CVE-2020-8218: A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the…

PriorityP179high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-09-07
Exploited in the wild
EPSS
32.74%
98.1th percentile
A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.

Affected

4 ranges
VendorProductVersion rangeFixed in
ivanticonnect_secure<= 9.0
ivanticonnect_secure
ivantipolicy_secure
pulsesecurepulse_policy_secure<= 9.0

Detection & IOCsextracted from sources · hover to see the quote

url/downloadlicenses.cgi?cmd=download
other&txtVLSAuthCode=
other%3b
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Pulse Secure VPN RCE Inbound (CVE-2020-8218)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/downloadlicenses.cgi?cmd=download"; content:"&txtVLSAuthCode="; distance:0; fast_pattern; http.uri.raw; content:"%3b"; reference:url,www.gosecure.net/blog/2020/08/26/forget-your-perimeter-rce-in-pulse-connect-secure/; classtype:attempted-admin; sid:2030804; rev:1; metadata:affected_product Pulse_Secure, created_at 2020_08_27, cve CVE_2020_8218, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_27;)
  • Exploit traffic arrives as an inbound HTTP GET request to the Pulse Secure admin web interface targeting the /downloadlicenses.cgi endpoint with a cmd=download parameter and a txtVLSAuthCode parameter containing a URL-encoded semicolon (%3b), indicating attempted command injection.
  • The presence of a URL-encoded semicolon (%3b) in the raw URI of requests to /downloadlicenses.cgi is the key injection indicator — the semicolon is used to chain OS commands in the crafted URI.
  • Exploitation is performed via the admin web interface; detection should be deployed at the perimeter, internally, and on SSL-decrypting sensors to catch encrypted traffic.
  • The vulnerability affects Pulse Connect Secure versions prior to 9.1R8; any device running an older version exposed to the admin interface should be treated as at risk.
  • ·The Snort/Suricata rule (sid:2030804) targets inbound traffic to $HTTP_SERVERS and $HOME_NET — ensure these variables are correctly scoped to include Pulse Secure VPN appliance IPs, otherwise the rule will not fire.
  • ·SSL/TLS decryption must be enabled on the monitoring sensor for this rule to be effective against HTTPS admin traffic, as noted in the rule metadata.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.