cbcvebase.
CVE-2020-8260
published 2020-10-28

CVE-2020-8260: A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using…

PriorityP189high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
96.48%
99.9th percentile
A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.

Affected

3 ranges
VendorProductVersion rangeFixed in
ivanticonnect_secure<= 9.0
ivanticonnect_secure
pulse_connect_securepulse_policy_secure

Detection & IOCsextracted from sources · hover to see the quote

path/home/runtime/tmp/tt/
path/home/bin/
snort
Snort Rules: 51288, 51289, 51390, 57452-57459, and 57461-57468
  • Exploitation targets the Pulse Connect Secure admin web interface using a malicious gzip archive upload; monitor for anomalous archive extraction activity in the admin interface, particularly files written to /home/runtime/tmp/tt/.
  • SSL/TLS decryption must be enabled on Cisco Secure Firewall and Snort to detect exploitation attempts, as the vulnerable admin interface leverages SSL.
  • A public Metasploit module exists for this vulnerability (pulse_secure_gzip_rce); monitor for exploitation attempts using this module against Pulse Connect Secure admin interfaces on versions prior to 9.1R9.
  • ·Exploitation requires authenticated administrator credentials; detections should account for the possibility that attacker credentials were obtained via a prior vulnerability (e.g., CVE-2019-11510 credential theft).
  • ·Snort rules covering CVE-2020-8260 exploitation are subject to change; always reference the latest rules from Firepower Management Center or Snort.org.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.