CVE-2020-8218
published 2020-07-30CVE-2020-8218: A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the…
PriorityP179high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-09-07
Exploited in the wild
EPSS
32.74%
98.1th percentile
A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | connect_secure | <= 9.0 | — |
| ivanti | connect_secure | — | — |
| ivanti | policy_secure | — | — |
| pulsesecure | pulse_policy_secure | <= 9.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/downloadlicenses.cgi?cmd=download
other&txtVLSAuthCode=
other%3b
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Pulse Secure VPN RCE Inbound (CVE-2020-8218)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/downloadlicenses.cgi?cmd=download"; content:"&txtVLSAuthCode="; distance:0; fast_pattern; http.uri.raw; content:"%3b"; reference:url,www.gosecure.net/blog/2020/08/26/forget-your-perimeter-rce-in-pulse-connect-secure/; classtype:attempted-admin; sid:2030804; rev:1; metadata:affected_product Pulse_Secure, created_at 2020_08_27, cve CVE_2020_8218, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_27;)
- →Exploit traffic arrives as an inbound HTTP GET request to the Pulse Secure admin web interface targeting the /downloadlicenses.cgi endpoint with a cmd=download parameter and a txtVLSAuthCode parameter containing a URL-encoded semicolon (%3b), indicating attempted command injection.
- →The presence of a URL-encoded semicolon (%3b) in the raw URI of requests to /downloadlicenses.cgi is the key injection indicator — the semicolon is used to chain OS commands in the crafted URI.
- →Exploitation is performed via the admin web interface; detection should be deployed at the perimeter, internally, and on SSL-decrypting sensors to catch encrypted traffic.
- →The vulnerability affects Pulse Connect Secure versions prior to 9.1R8; any device running an older version exposed to the admin interface should be treated as at risk. ↗
- ·The Snort/Suricata rule (sid:2030804) targets inbound traffic to $HTTP_SERVERS and $HOME_NET — ensure these variables are correctly scoped to include Pulse Secure VPN appliance IPs, otherwise the rule will not fire.
- ·SSL/TLS decryption must be enabled on the monitoring sensor for this rule to be effective against HTTPS admin traffic, as noted in the rule metadata.
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-29h7-cpmq-mh8j: A code injection vulnerability exists in Pulse Connect Secure <9
ghsa_unreviewed·2022-05-24
CVE-2020-8218 [MEDIUM] CWE-94 GHSA-29h7-cpmq-mh8j: A code injection vulnerability exists in Pulse Connect Secure <9
A code injection vulnerability exists in Pulse Connect Secure <9.1RB that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.
VulnCheck
Pulse Connect Secure Code Injection Vulnerability
vulncheck·2020·CVSS 7.2
CVE-2020-8218 [HIGH] CWE-94 Pulse Connect Secure Code Injection Vulnerability
Pulse Connect Secure Code Injection Vulnerability
A code injection vulnerability exists in Pulse Connect Secure that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.
Affected: Pulse Secure Pulse Connect Secure
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.avira.com/en/blog/a-gafgyt-variant-that-exploits-pulse-secure-cve-2020-8218; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement
Exploit PoC: https://vulncheck.com/xdb/5617ca2523fa
Remediation Due: 2022-09-07
VulnCheck
D-Link Multiple Routers Command Injection Vulnerability
vulncheck·2019·CVSS 9.8
CVE-2019-16920 [CRITICAL] CWE-78 D-Link Multiple Routers Command Injection Vulnerability
D-Link Multiple Routers Command Injection Vulnerability
Multiple D-Link routers contain a command injection vulnerability which can allow attackers to achieve full system compromise.
Affected: D-Link Multiple Routers
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer; https://www.bleepingcomputer.com/news/security/us-charges-chinese-winnti-hackers-for-attacking-100-plus-companies/; https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/; https://cisa.gov/news-events/cybersecurity-advisories/aa20-275a; https://us-cert.cisa.gov/ncas/alerts/aa20-275
VulnCheck
LG supersign_cms Improper Control of Generation of Code ('Code Injection')
vulncheck·2018·CVSS 9.8
CVE-2018-17173 [CRITICAL] LG supersign_cms Improper Control of Generation of Code ('Code Injection')
LG supersign_cms Improper Control of Generation of Code ('Code Injection')
LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail.
Affected: LG supersign_cms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; https://www.akamai.com/blog/security/latest-echobot-26-infection-vectors; https://web.archive.org/web/20200319160240/https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/; https://www.trendmicro.com/en_us/research/20/g/new-
VulnCheck
Dasan GPON Routers Authentication Bypass Vulnerability
vulncheck·2018·CVSS 9.8
CVE-2018-10561 [CRITICAL] CWE-287 Dasan GPON Routers Authentication Bypass Vulnerability
Dasan GPON Routers Authentication Bypass Vulnerability
Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10562, exploitation can allow an attacker to perform remote code execution.
Affected: Dasan Gigabit Passive Optical Network (GPON) Routers
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Known Ransomware Campaign Use: Known
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2018-10561; https://blog.netlab.360.com/botnets-never-die-satori-refuses-to-fade-away-en/; https://unit42.paloaltonetworks.com/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; https://www.virusbulletin.com/virusbulletin/2019/12/vb2019-paper-absolutely-routed-why-routers-are-new-bul
VulnCheck
huawei hg532_firmware Improper Input Validation
vulncheck·2017·CVSS 8.8
CVE-2017-17215 [HIGH] huawei hg532_firmware Improper Input Validation
huawei hg532_firmware Improper Input Validation
Huawei HG532 with some customized versions has a remote code execution vulnerability. An authenticated attacker could send malicious packets to port 37215 to launch attacks. Successful exploit could lead to the remote execution of arbitrary code.
Affected: huawei hg532_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://research.checkpoint.com/2017/good-zero-day-skiddie/; https://threatpost.com/huawei-router-vulnerability-used-to-spread-mirai-variant/129238/; https://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/; https://www.netscout.com/b
VulnCheck
D-Link DIR-645 Router Remote Code Execution Vulnerability
vulncheck·2015·CVSS 9.8
CVE-2015-2051 [CRITICAL] CWE-77 D-Link DIR-645 Router Remote Code Execution Vulnerability
D-Link DIR-645 Router Remote Code Execution Vulnerability
D-Link DIR-645 Wired/Wireless Router allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.
Affected: D-Link DIR-645 Router
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Exploitation References: https://www.trendmicro.com/en_us/research/19/e/new-mirai-variant-uses-multiple-exploits-to-target-routers-and-other-devices.html; https://web.archive.org/web/20200319160240/https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/; https://blog.lumen.com/new-mozi-malware-family-quietly-amasses-iot-bots/; https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.
CISA
Pulse Connect Secure Code Injection Vulnerability
cisa·2022-03-07·CVSS 7.2
CVE-2020-8218 [HIGH] CWE-94 Pulse Connect Secure Code Injection Vulnerability
Vulnerability: Pulse Connect Secure Code Injection Vulnerability
Affected: Pulse Secure Pulse Connect Secure
A code injection vulnerability exists in Pulse Connect Secure that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-8218
Remediation Due Date: 2022-09-07
Ivanti
Pulse Connect Secure Code Injection Vulnerability
vendor_ivanti·2022-03-07·CVSS 7.2
CVE-2020-8218 [HIGH] Pulse Connect Secure Code Injection Vulnerability
Pulse Connect Secure Code Injection Vulnerability
A code injection vulnerability exists in Pulse Connect Secure that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.
CVE IDs: CVE-2020-8218
This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
Required Action: Apply updates per vendor instructions.
Remediation Due Date: 2022-09-07
Suricata
ET EXPLOIT Possible Pulse Secure VPN RCE Inbound (CVE-2020-8218)
suricata·2020-08-27·CVSS 7.2
CVE-2020-8218 [HIGH] ET EXPLOIT Possible Pulse Secure VPN RCE Inbound (CVE-2020-8218)
ET EXPLOIT Possible Pulse Secure VPN RCE Inbound (CVE-2020-8218)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Pulse Secure VPN RCE Inbound (CVE-2020-8218)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/downloadlicenses.cgi?cmd=download"; content:"&txtVLSAuthCode="; distance:0; fast_pattern; http.uri.raw; content:"%3b"; reference:url,www.gosecure.net/blog/2020/08/26/forget-your-perimeter-rce-in-pulse-connect-secure/; classtype:attempted-admin; sid:2030804; rev:1; metadata:affected_product Pulse_Secure, created_at 2020_08_27, cve CVE_2020_8218, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_
No public exploits indexed.
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure/https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8218
2020-07-30
Published
2022-03-07
Added to CISA KEV
Exploited in the wild