6.5
CVSSv2

CVE-2019-11539

Published: 26/04/2019 Updated: 29/04/2020
CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8
CVSS v3 Base Score: 7.2 | Impact Score: 5.9 | Exploitability Score: 1.2
VMScore: 701
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Vulnerability Summary

In Pulse Secure Pulse Connect Secure version 9.0RX prior to 9.0R3.4, 8.3RX prior to 8.3R7.1, 8.2RX prior to 8.2R12.1, and 8.1RX prior to 8.1R15.1 and Pulse Policy Secure version 9.0RX prior to 9.0R3.2, 5.4RX prior to 5.4R7.1, 5.3RX prior to 5.3R12.1, 5.2RX prior to 5.2R12.1, and 5.1RX prior to 5.1R15.1, the admin web interface allows an authenticated malicious user to inject and execute commands.

Vulnerability Trend

Affected Products

Vendor Product Versions
PulsesecurePulse Connect Secure8.1, 8.1r1.0, 8.2, 8.2r1.0, 8.2r1.1, 8.2r2.0, 8.2r3.0, 8.2r3.1, 8.2r4.0, 8.2r4.1, 8.2r5.0, 8.2r5.1, 8.2r6.0, 8.2r7.0, 8.2r7.1, 8.2rx, 8.3, 8.3rx, 9.0r1, 9.0r2, 9.0r2.1, 9.0r3, 9.0r3.1, 9.0r3.2, 9.0rx
PulsesecurePulse Policy Secure5.1r1.0, 5.1r1.1, 5.1r2.0, 5.1r2.1, 5.1r3.0, 5.1r3.2, 5.1r4.0, 5.1r5.0, 5.1r6.0, 5.1r7.0, 5.1r8.0, 5.1r9.0, 5.1r9.1, 5.1r10.0, 5.1r11.0, 5.1r11.1, 5.1r12.0, 5.1r12.1, 5.1r13.0, 5.1r14.0, 5.2r1.0, 5.2r2.0, 5.2r3.0, 5.2r3.2, 5.2r4.0, 5.2r5.0, 5.2r6.0, 5.2r7.0, 5.2r7.1, 5.2r8.0, 5.2r9.0, 5.2r9.1, 5.2r10.0, 5.2r11.0, 5.2rx, 5.3r1.0, 5.3r1.1, 5.3r2.0, 5.3r3.0, 5.3r3.1, 5.3r4.0, 5.3r4.1, 5.3r5.0, 5.3r5.1, 5.3r5.2, 5.3r6.0, 5.3r7.0, 5.3r8.0, 5.3r8.1, 5.3r8.2, 5.3r9.0, 5.3r10., 5.3r11.0, 5.3r12.0, 5.3rx, 5.4r1, 5.4r2, 5.4r2.1, 5.4r3, 5.4r4, 5.4r5, 5.4r5.2, 5.4r6, 5.4r6.1, 5.4r7, 5.4rx, 9.0r1, 9.0r2, 9.0r2.1, 9.0r3, 9.0r3.1, 9.0rx

Exploits

#!/usr/bin/python # # Exploit Title: Pulse Secure Post-Auth Remote Code Execution # Google Dork: inurl:/dana-na/ filetype:cgi # Date: 09/05/2019 # Exploit Author: Justin Wagner (0xDezzy), Alyssa Herrera (@Alyssa_Herrera_) # Vendor Homepage: pulsesecurenet # Version: 81R151, 82 before 82R121, 83 before 83R71, and 90 before 90R34 ...
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, ...

Mailing Lists

Pulse Secure versions 81R151, 82, 83, and 90 SSL VPN remote code execution exploit ...

Metasploit Modules

Pulse Secure VPN Arbitrary Command Execution

This module exploits a post-auth command injection in the Pulse Secure VPN server to execute commands as root. The env(1) command is used to bypass application whitelisting and run arbitrary commands. Please see related module auxiliary/gather/pulse_secure_file_disclosure for a pre-auth file read that is able to obtain plaintext and hashed credentials, plus session IDs that may be used with this exploit. A valid administrator session ID is required in lieu of untested SSRF.

msf > use exploit/linux/http/pulse_secure_cmd_exec
msf exploit(pulse_secure_cmd_exec) > show targets
    ...targets...
msf exploit(pulse_secure_cmd_exec) > set TARGET < target-id >
msf exploit(pulse_secure_cmd_exec) > show options
    ...show and set options...
msf exploit(pulse_secure_cmd_exec) > exploit

Github Repositories

Pulse-Secure-SSL-VPN-CVE-2019 漏洞编号: CVE-2019-11510——任意文件读取(无需授权) CVE-2019-11542——堆栈缓冲区溢出(管理员权限) CVE-2019-11539——命令注入(管理员权限) CVE-2019-11538——通过NFS读取任意文件(用户权限) CVE-2019-11508——通过NFS写入任意文件(用

Recent Articles

FBI: Iranian hackers trying to exploit critical F5 BIG-IP flaw
BleepingComputer • Sergiu Gatlan • 08 Aug 2020

The FBI warns of Iranian hackers actively attempting to exploit an unauthenticated remote code execution flaw affecting F5 Big-IP application delivery controller (ADC) devices used by Fortune 500 firms, government agencies, and banks.
F5 Networks (F5) released security updates to fix the critical 10/10 CVSSv3 rating F5 Big-IP ADC vulnerability tracked as CVE-2020-5902 on July 3, 2020.



PLAY

...

NSA releases guidance on securing IPsec Virtual Private Networks
BleepingComputer • Sergiu Gatlan • 02 Jul 2020

The US National Security Agency (NSA) has published guidance on how to properly secure IP Security (IPsec) Virtual Private Networks (VPNs) against potential attacks.
Besides providing organizations with recommendations on how to secure IPsec tunnels, NSA's VPN guidance also highlights the importance of using strong cryptography to protect sensitive info contained within traffic while traversing untrusted networks when connecting to remote servers.
Following these recommendations...

Sodinokibi Ransomware Behind Travelex Fiasco: Report
Threatpost • Tara Seals • 07 Jan 2020

The Sodinokibi ransomware strain is apparently behind the New Year’s Eve attack on foreign currency-exchange giant Travelex, which has left its customers and banking partners stranded without its services.
The criminals behind the attack are demanding a six-figure sum in return for the decryption key, according to reports, and are directing the company to a payment website hosted in Colorado.
“It is just business. We absolutely do not care about you or your details, except gettin...

APT Groups Exploiting Flaws in Unpatched VPNs, Officials Warn
Threatpost • Elizabeth Montalbano • 08 Oct 2019

State-sponsored advanced persistent threat (APT) groups are using flaws in outdated VPN technologies from Palo Alto Networks, Fortinet and Pulse Secure to carry out cyber attacks on targets in the United States and overseas, warned U.S. and U.K. officials.
The National Security Agency (NSA) issued a Cybersecurity Advisory Monday about the threats and offered mitigation suggestions, warning that multiple APT actors have weaponized three critical vulnerabilities first published in August–C...