kb.pulsesecure.net
Open in
urlscan Pro
161.71.26.179
Public Scan
URL:
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
Submission: On May 02 via api from US — Scanned from GB
Submission: On May 02 via api from US — Scanned from GB
Form analysis 4 forms found in the DOM
Name: j_id0:j_id1:j_id612:j_id613:j_id615 — POST /knowledge/TOCArticleRendererPkb.apexp?id=kA23Z000000KBro
<form id="j_id0:j_id1:j_id612:j_id613:j_id615" name="j_id0:j_id1:j_id612:j_id613:j_id615" method="post" action="/knowledge/TOCArticleRendererPkb.apexp?id=kA23Z000000KBro" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="j_id0:j_id1:j_id612:j_id613:j_id615" value="j_id0:j_id1:j_id612:j_id613:j_id615">
<div id="j_id0:j_id1:j_id612:j_id613:j_id615:j_id616" style="width: 100%; margin-top: 5px;">
<div style="font-weight: bold; font-size: 125%; float: left;">
</div>
</div>
<div id="j_id0:j_id1:j_id612:j_id613:j_id615:j_id2267"></div>
</form><form class="form" id="searchAskForm">
<div style="float: left;">
<div id="searchAskInputContainer">
<textarea class="default" id="searchAskInput" name="inputboxform" onblur="restorePrompt(this); buildSearchHref();" onfocus="clearPrompt(this);" onkeypress="checkForEnter(event, this);" style="height: 36px;" tabindex="1"
title="What would you like to know?" type="text">What would you like to know?</textarea>
<a class="reset" href="#" id="resetButton" onclick="resetPrompt($$('#' +SEARCH_TEXT_ID)[0]); return false;" style="display: inline;">Reset Search</a>
</div>
</div>
<div style="float: left;">
<a class="action" href="/pkb_Home?l=en_US" id="searchAskButton" onclick="searchButtonClicked(); return false;" tabindex="2">
<span class="tip" title="Search">Search</span>
</a>
</div>
</form>Name: j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm — POST /pkb_Home?id=kA23Z000000KBroSAG
<form id="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm" name="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm" method="post" action="/pkb_Home?id=kA23Z000000KBroSAG" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm" value="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm">
<div id="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm:feedbackYesNoContainer">
<script id="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm:j_id1509" type="text/javascript">
refreshYesNo = function() {
A4J.AJAX.Submit('j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm', null, {
'similarityGroupingId': 'j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm:j_id1509',
'parameters': {
'j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm:j_id1509': 'j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm:j_id1509'
},
'status': 'j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm:feedbackYesNoStatus'
})
};
</script>
<h2 class="section">Feedback</h2>
<div style="height: 5px;"> </div>
<div id="feedback">
<h3>Was this article helpful?</h3><br><input class="btn" id="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm:feedbackYesButton" name="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm:feedbackYesButton"
onclick="toggleFeedbackYesNoButtons();;A4J.AJAX.Submit('j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm',event,{'similarityGroupingId':'j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm:feedbackYesButton','parameters':{'j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm:feedbackYesButton':'j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm:feedbackYesButton'} ,'status':'j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm:feedbackYesNoStatus'} );return false;"
value="Yes" type="button"> <input id="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm:feedbackNoButton" type="submit" name="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm:feedbackNoButton" value="No"
onclick="showFeedbackDialog(); return false;" class="btn"> <span id="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm:feedbackYesNoStatus"><span
id="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm:feedbackYesNoStatus.start" style="display: none"><img src="/resource/1436817666000/pkb_loadingdots"></span><span
id="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm:feedbackYesNoStatus.stop"></span></span>
</div>
</div>
<div id="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackYesNoForm:j_id2268"></div>
</form>Name: j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackForm — POST /pkb_Home?id=kA23Z000000KBroSAG
<form id="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackForm" name="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackForm" method="post" action="/pkb_Home?id=kA23Z000000KBroSAG" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackForm" value="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackForm">
<input id="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackForm:feedbackComments" type="hidden" name="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackForm:feedbackComments">
<div id="feedbackDialog">
<div id="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackForm:feedbackResponse" style="width: 85%; margin-left: auto; margin-right: auto;">
<div id="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackForm:j_id1520" style="margin-top: 10px;">
<p style="text-align: center;">Feedback</p>
<p>Please tell us how we can make this article more useful.</p>
<textarea id="feedbackTextArea" onblur="copyComments();" onkeydown="return countChars(event, this);"></textarea> Characters Remaining: <span id="charsRemaining">255</span><br><br><input class="btn"
id="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackForm:j_id1522" name="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackForm:j_id1522"
onclick="copyComments();;A4J.AJAX.Submit('j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackForm',event,{'similarityGroupingId':'j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackForm:j_id1522','parameters':{'j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackForm:j_id1522':'j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackForm:j_id1522'} ,'status':'j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackForm:feedbackStatus'} );return false;"
value="Submit" type="button"> <input type="submit" name="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackForm:j_id1524" value="Cancel" onclick="closeModal(); return false;" class="btn"><br>
<br><span id="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackForm:feedbackStatus"><span id="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackForm:feedbackStatus.start" style="display: none"><img
src="/resource/1436817666000/pkb_loadingdots"></span><span id="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackForm:feedbackStatus.stop"></span></span>
</div>
</div>
</div>
<div id="j_id0:j_id1:j_id954:j_id955:j_id1505:j_id1506:feedbackForm:j_id2269"></div>
</form>Text Content
* Knowledge Articles
* Security Advisories
RELATED ARTICLES
TSB44200 - Addendum to April Advisory (SA44101)
TSB44239 - Reminder to Apply the Security Fixes for Pulse Secure Security
Advisory - SA44101
SA44784 - 2021-04: Out-of-Cycle Advisory: Multiple Vulnerabilities Resolved in
Pulse Connect Secure 9.1R11.4
SA44588 - 2020-09: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in
Pulse Connect Secure / Pulse Policy Secure 9.1R8.2
SA44601 - 2020-10: Security Bulletin: Multiple Vulnerabilities Resolved in Pulse
Connect Secure / Pulse Policy Secure / Pulse Secure Desktop Client 9.1R9
SA44516 - 2020-07: Security Bulletin: Multiple Vulnerabilities Resolved in Pulse
Connect Secure / Pulse Policy Secure 9.1R8
KB24954 - Pulse Connect Secure / Pulse Policy Secure is sending
'iveLogNearlyFull' SNMP traps
KB44500 - Implications of disabling to the "Store host checking evaluation
results" Feature on Pulse Connect Secure/Pulse Policy
KB40974 - False positive components for Pulse Connect Secure / Pulse Policy
Secure devices
SA43877 - 2018-08 Security Bulletin: Multiple vulnerabilities resolved in Pulse
Connect Secure / Pulse Policy Secure / Pulse Secure Desktop 9.0R1/9.0R2
What would you like to know? Reset Search
Search
< Back to search results
SA44101 - 2019-04: OUT-OF-CYCLE ADVISORY: MULTIPLE VULNERABILITIES RESOLVED IN
PULSE CONNECT SECURE / PULSE POLICY SECURE 9.0RX
Printable View
« Go Back
INFORMATION
Product AffectedPulse Connect Secure, Pulse Policy Secure
Problem
Multiple vulnerabilities were discovered and have been resolved in Pulse Connect
Secure (PCS) and Pulse Policy Secure (PPS). This includes an authentication
by-pass vulnerability that can allow an unauthenticated user to perform a remote
arbitrary file access on the Pulse Connect Secure gateway. This advisory also
includes a remote code execution vulnerability that can allow an authenticated
administrator to perform remote code execution on Pulse Connect Secure and Pulse
Policy Secure gateways. Many of these vulnerabilities have a critical CVSS score
and pose significant risk to your deployment. We strongly recommend to upgrade
to the corresponding version with the fix as soon as possible.
CVE have been requested and will be updated in the future.
Refer to KB43892 - What releases will Pulse Secure apply fixes to resolve
security vulnerabilities? per our End of Engineering (EOE) and End of Life (EOL)
policies.
The table below provides details of the vulnerabilities and the affected and not
affected products:
Affected Versions:
* Pulse Connect Secure 9.0R1 - 9.0R3.3
* Pulse Connect Secure 8.3R1 - 8.3R7
* Pulse Connect Secure 8.2R1 - 8.2R12
* Pulse Connect Secure 8.1R1 - 8.1R15
* Pulse Policy Secure 9.0R1 - 9.0R3.1
* Pulse Policy Secure 5.4R1 - 5.4R7
* Pulse Policy Secure 5.3R1 - 5.3R12
* Pulse Policy Secure 5.2R1 - 5.2R12
* Pulse Policy Secure 5.1R1 - 5.1R15
Not Affected:
* Pulse Connect Secure 9.1R1 (9.1.1.1505) and above
* Pulse Connect Secure 9.0R4 (9.0.4.64055) & 9.0R3.4 (9.0.3.64053)
* Pulse Connect Secure 8.3R7.1 (8.3.7.65025)
* Pulse Connect Secure 8.2R12.1 (8.2.12.64003)
* Pulse Connect Secure 8.1R15.1 (8.1.15.59747)
* Pulse Policy Secure 9.1R1 (9.1.1.1231) and above
* Pulse Policy Secure 9.0R4 (9.0.4.51871) & 9.0R3.2 (9.0.3.51873)
* Pulse Policy Secure 5.4R7.1 (5.4.7.51119)
* Pulse Policy Secure 5.3R12.1 (5.3.12.50975)
* Pulse Policy Secure 5.2R12.1 (5.2.12.50765)
* Pulse Policy Secure 5.1R15.1 (5.1.15.50767)
CVECVSS Score (V3)SummaryProduct AffectedCVE-2019-1151010 Critical
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HUnauthenticated remote attacker with
network access via HTTPS can send a specially crafted URI to perform an
arbitrary file reading vulnerability.Pulse Connect Secure:
* 9.0R1 to 9.0R3.3
* 8.3R1 to 8.3R7
* 8.2R1 to 8.2R12
These versions are not impacted for this CVE:
* 9.1R1 and above
* 9.0R3.4 & 9.0R4
* 8.3R7.1
* 8.2R12.1
* 8.1RX and below
CVE-2019-115089.9 Critical
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HA vulnerability in the Network File
Share (NFS) of Pulse Connect Secure allows an authenticated end-user attacker to
upload a malicious file to write arbitrary files to the local system.Pulse
Connect Secure:
* 9.0RX
* 8.3RX
* 8.2RX
* 8.1RX
9.9 Critical
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HMultiple vulnerabilities are patched
for Ghostscript.
CVE-2018-16513
CVE-2018-18284
CVE-2018-15911
CVE-2018-15910
CVE-2018-15909
CVE-2018-16513Pulse Connect Secure:
* 9.0RX
* 8.3RX
* 8.2RX
CVE-2019-115408.3 High
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:HA vulnerability in the Pulse Secure
could allow an unauthenticated, remote attacker to conduct a (end user) session
hijacking attack.Pulse Connect Secure:
* 9.0RX
* 8.3RX
Pulse Policy Secure:
* 9.0RX
* 5.4RX
CVE-2019-115438.3 HIGH CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:HA XSS issue
found the admin web console. Pulse Secure Pulse Connect Secure (PCS) 9.0RX
before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.1RX before 8.1R15.1 and Pulse Policy
Secure 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, and 5.2RX before
5.2R12.1.Pulse Connect Secure
* 9.0RX
* 8.3RX
* 8.1RX
Pulse Policy Secure
* 9.0RX
* 5.4RX
* 5.2RX
CVE-2019-115418.3 High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:LUsers using
SAML authentication with Reuse Existing NC (Pulse) Session option may
see authentication leaks.Pulse Connect Secure:
* 9.0RX
* 8.3RX
* 8.2RX
CVE-2019-115428.0 High
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:HAuthenticated attacker via the admin
web interface can send a specially crafted message resulting in a stack buffer
overflow.Pulse Connect Secure:
* 9.0RX
* 8.3RX
* 8.2RX
* 8.1RX
Pulse Policy Secure:
* 9.0RX
* 5.4RX
* 5.3RX
* 5.2RX
* 5.1RX
CVE-2019-115398.0 High
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:HAuthenticated attacker via the admin
web interface allow attacker to inject and execute command injectionPulse
Connect Secure:
* 9.0RX
* 8.3RX
* 8.2RX
* 8.1RX
Pulse Policy Secure:
* 9.0RX
* 5.4RX
* 5.3RX
* 5.2RX
* 5.1RX
CVE-2019-115387.7 High
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NA vulnerability in the Network File
Share (NFS) of Pulse Connect Secure could allow an authenticated end-user
attacker to access the contents of arbitrary files on the local file
system.Pulse Connect Secure:
* 9.0RX
* 8.3RX
* 8.2RX
* 8.1RX
CVE-2019-115096.4 Medium
CVSS v3 AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:HAuthenticated attacker via the admin
web interface can exploit this issue to execute arbitrary code on the Pulse
Secure appliance.Pulse Connect Secure:
* 9.0RX
* 8.3RX
* 8.2RX
* 8.1RX
Pulse Policy Secure:
* 9.0RX
* 5.4RX
* 5.3RX
* 5.2RX
* 5.1RX
CVE-2019-115075.8 Medium CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:LA XSS issue
has been found in Pulse Secure Application Launcher page. Pulse Connect Secure
(PCS) 8.3.x before 8.3R7.1, and 9.0.x before 9.0R3.Pulse Connect Secure:
* 9.0RX
* 8.3RX
Solution
The solution for these vulnerabilities is to upgrade your Pulse Connect Secure
and Pulse Policy Secure server software version to the corresponding version
that has the fix. The following table provides guidance on the software you
should deploy depending on current software version.
If the PCS/PPS version is installed:Then deploy this version (or later)
to resolve the issue:Expected ReleaseNotes (if any)
Pulse Connect Secure 9.0RX
Pulse Connect Secure 9.0R3.4 & 9.0R4Available Now Pulse Connect Secure
8.3RXPulse Connect Secure 8.3R7.1Available Now Pulse Connect Secure 8.2RXPulse
Connect Secure 8.2R12.1Available Now Pulse Connect Secure 8.1RXPulse Connect
Secure 8.1R15.1Available Now Pulse Policy Secure 9.0RXPulse Policy Secure
9.0R3.2 & 9.0R4Available Now Pulse Policy Secure 5.4RXPulse Policy Secure
5.4R7.1Available Now Pulse Policy Secure 5.3RXPulse Policy Secure
5.3R12.1Available Now Pulse Policy Secure 5.2RXPulse Policy Secure
5.2R12.1Available Now Pulse Policy Secure 5.1RXPulse Policy Secure
5.1R15.1Available Now
Post-Upgrade Recommendations:
Pulse Secure strongly recommends the following steps after upgrading to a
patched version of the software:
* Any end user and administrator passwords used to login to the device should
be changed.
* Any service account passwords stored on the device (LDAP, RADIUS, AD, etc.)
should be changed.
* Replace device certificates(s) by generating a new certificate signing
request (CSR) on the device.
* If TOTP Auth Server is configured on the appliance, administrator needs to
reset the TOTP users to register again. Refer KB41050 for details.
* Disable roaming session or limit to subnet for non-roaming user roles:
This feature ensures that if a session cookie is stolen it cannot be reused
by a different IP address than the user who first logged in. This lowers the
possibility of a session being stolen and reused by an attacker. This would
require the end user to re-authenticate when the source IP address is
changed.
1. Users: (Users --> User Roles --> <role name> --> General --> Session
Options: Roaming Session, select "Disabled").
2. Admins: (Administrators --> Admin Roles --> <role name> --> General -->
Session Options: Roaming Session, select "Disabled").
EXPLOITATION AND ANNOUNCEMENTS:
These vulnerabilities described in this advisory was found and properly
disclosed by security researchers on March 22, 2019.
As of Jan 2020, Pulse Secure PSIRT is aware of attempted exploitation of this
vulnerability in the wild related to REvil ransomware. Pulse Secure is strongly
recommending to upgrade to the patched software as soon as possible.
FREQUENTLY ASKED QUESTIONS (FAQ):
Question 1: Can I delay the upgrade and upgrade to the next major release
instead?
Answer: No, Pulse Secure recommends to upgrade to the corresponding version with
the fix as soon as possible.
Question 2: Where can I find and download the security patches for
CVE-2019-11510 vulnerability?
Answer: All security patches are available from the Download Center at
https://my.pulsesecure.net. For instructions to download software, please refer
to KB40028 - [Customer Support Tools] How to download software / firmware for
Pulse Secure products using the Licensing & Download Center at
my.pulsesecure.net
Question 3: Will the device reboot after upgrading to the fix version?
Answer: Yes, once you upgrade your device it will automatically get rebooted.
Question 4: Do I need to upgrade client components (including Pulse Desktop
Client, Network Connect, WSAM, Terminal Services) on my Windows, Mac, Linux,
Android, or IOS endpoints?
Answer:
For Pulse Desktop Client or Pulse Mobile (for iOS and Android)
* Upgrade of these client components are not required.
Note: Pulse Desktop Clients will upgrade on the end points if the PCS/PPS server
side configuration is set to “Auto-Upgrade” with a higher Pulse Desktop Client
package set to Active. To avoid upgrading the Pulse Desktop Client, please
upload the equivalent Pulse Desktop Client version and mark as Active.
For WSAM, Network Connect, Host Checker, and Terminal Services customers
* The client will be upgraded as part of the server upgrade. If client machines
do not have administrator privileges, ensure Pulse Secure Installer Service
is installed or have the required privileges/rights.
Question 5: How do I upgrade Pulse Connect Secure / Pulse Policy Secure to
resolve this vulnerability?
Answer: Download a fixed version of the Pulse Connect Secure or Pulse Policy
Secure available from the Licensing & Download Center
at https://my.pulsesecure.net. For upgrade documentation, please refer to:
* Upgrade PCS Cluster
* Upgrade PCS Standalone Device
For additional FAQ and upgrade recommendations, refer to KB23051.
Question 6: Is there any workaround to fix this vulnerability temporarily?
Answer: No, there is no workaround. Pulse Secure is strongly recommending for
administrator to upgrade their devices to fixed versions.
Question 7: I do not have access to my.pulsesecure.net to download the
recommended PCS/PPS version.
Answer: Please refer KB40031 to Onboarding at my.pulsesecure.net. If you face
any issue, please contact Pulse Secure Global Support Center.
Question 8: After upgrading to the patched version, Qualys and Tenable is still
showing the device as vulnerable?
Answer: Qualys and Tenable are parsing the version number and does not properly
confirm the issue. Pulse Secure is working with both vendors to properly detect
the issue. If the device is running a patched version, CVE-2019-11510 is no
longer applicable.
Question 9: Are there any IOCs (indicators of compromise) that we can search for
within our logs to detect exploit attempts?
Answer: The U.S. Cyber and Infrastructure Security Agency (CISA) released a
Python tool called “Check Your Pulse.” The tool will analyze your downloaded PCS
logs for IOCs and alert on any matches. It’s important to note that unsuccessful
exploit attempts against patched servers will continue to show up in the server
logs. Therefore, CISA’s “Check Your Pulse” tool will alert on failed exploit
attempts against patched instances.
The link to “Check Your Pulse” above can be expanded out to the full URL:
https://github.com/cisagov/check-your-pulse
Question 10: FireEye recently announced a breach relating to their red-team
tools and techniques which include the Pulse Secure CVE.
Ans: On December 8th cybersecurity vendor FireEye reported a breach of their
network and data exfiltration which included their internally
developed Red Team tools. FireEye took the step of publishing details of these
tools in a GitHub repository to allow other vendors to protect against their use
by potential adversaries.
In the F5 Security Advisory, one of these targeted vulnerabilities includes a
Pulse Secure vulnerability. On April 24th, 2019, Pulse Secure released security
fixes for a critical Remote Code Execution (RCE) vulnerability, CVE-2019-11510,
for Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS) appliances.
F5 Advisory is available here: https://support.f5.com/csp/article/K43840335
Document History:
April 24, 2019 - Initial advisory posted and software was posted to the Download
Center.
April 25, 2019
- CVE-2019-11510, CVE-2019-11509, CVE-2019-11508, CVE-2019-11507, CVE-2019-11543, CVE-2019-11542, CVE-2019-11541, CVE-2019-11540, CVE-2019-11539, CVE-2019-11538 were assigned.
Workaround provided for CVE-2019-11508.
July 26, 2019 - Adding information about 9.1RX
July 30, 2019 - Change description verbiage for CVE-2019-11538
August 17, 2019 - Updated details for CVE-2019-11510 as 8.1RX and below are not
directly impacted
August 20, 2019 - Updated verbiage for the description of CVE-2019-11540
and CVE-2019-11510
October 17, 2019 - Updated the recommendation to reset the TOTP Users.
Jan 13, 2020 - Updated verbiage in exploitation and public announcements section
April 17, 2020 - Updated FAQ Details
April 20, 2020 - Updated Post-Upgrade Recommendation
August 7, 2020 - Updated Post-Upgrade Recommendation
December 15, 2020 - Updated FAQ Details
LEGAL DISCLAIMER
* THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF
GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR
IN MATERIALS LINKED HEREFROM IS AT THE USER’S OWN RISK. PULSE SECURE
RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
* A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE
DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION
OR CONTAIN ERRORS. THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END
USERS OF PULSE SECURE PRODUCTS.
Workaround
CVE-2019-11508 and CVE-2019-11538 can be mitigated by disabling File Share
feature on the Pulse Connect Secure device.
There are no workarounds that address the other vulnerabilities.
Implementation
Related Links
* https://www.us-cert.gov/ncas/alerts/aa20-107a
* https://support.f5.com/csp/article/K43840335
CVSS Score
Risk Assessment
Acknowledgements
* Orange Tsai and Meh Chang from DEVCORE research team
* Jake Valletta from FireEye
Alert TypeSA - Security Advisory
Risk Level
Attachment 1
Attachment 2
Legacy ID
FEEDBACK
WAS THIS ARTICLE HELPFUL?
Feedback
Please tell us how we can make this article more useful.
Characters Remaining: 255
Give Feedback