CVE-2019-11510:
Unauthenticated remote attacker can read arbitrary files via a specially crafted URI in Pulse Secure Pulse Connect Secure (PCS) releases to 8.2R12.1, 8.3R7.1, and 9.0R3.4 (inclusive), representing a critical path traversal-based file disclosure vulnerability.
Score
A numerical rating that indicates how dangerous this vulnerability is.
10.0Critical- Published Date:May 8, 2019
- CISA KEV Date:Nov 3, 2021
- Industries Affected:20
910 DaysThreat Predictions
- EPSS Score:94.4
- EPSS Percentile:100%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:CHANGED
Impact
- Score:6.0
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Unauthenticated remote attacker can read arbitrary files via a specially crafted URI in Pulse Secure Pulse Connect Secure (PCS) releases to 8.2R12.1, 8.3R7.1, and 9.0R3.4 (inclusive), representing a critical path traversal-based file disclosure vulnerability.
Overview
Pulse Connect Secure (PCS) contains a critical path traversal vulnerability that enables an unauthenticated remote attacker to read arbitrary files by sending a specially crafted URI. The affected product versions include 8.2 prior to 8.2R12.1, 8.3 prior to 8.3R7.1, and 9.0 prior to 9.0R3.4. The vulnerability impacts confidentiality, integrity, and availability and can be exploited over the network without user interaction, earning a 9.9/10 CVSS v3.0 score. This weakness stems from improper handling of file paths (CWE-22) within PCS, and it has been the subject of multiple advisories and public analyses. Remediation involves applying patched firmware releases provided by Pulse Secure.
Remediation
- Upgrade to the patched firmware releases listed by the vendor: 8.2R12.1, 8.3R7.1, or 9.0R3.4, or later for PCS. This is the primary and most effective remediation.
- If immediate upgrading is not possible, apply the vendor advisory guidance (SA44101) and any interim mitigations provided by Pulse Secure, and monitor for indicators of exploitation.
- Restrict exposure of PCS appliances to trusted networks and, if feasible, limit or block external access to management interfaces to reduce risk until patches can be applied.
- After patching or mitigations, verify the appliance version is updated and monitor logs for any attempted exploitation or anomalous file reads.
- Consider implementing compensating controls such as network-level segmentation, access controls, and ongoing vulnerability management to prevent similar exposures in the future.
- Review and apply future firmware updates promptly and verify that all affected devices have migrated to supported, patched lines.
References
- - CVE-2019-11510 — MITRE CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510
- - Pulse Secure Advisory SA44101: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
- - Pulse Secure Knowledge Base (general): https://kb.pulsesecure.net/?atype=sa
- - PSIRT SonicWall vulnerability SNWLID-2019-0010: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
- - SecurityFocus BID 108073: http://www.securityfocus.com/bid/108073
- - PacketStorm: Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html: http://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html
- - PacketStorm NSE: Pulse-Secure-SSL-VPN-File-Disclosure-NSE.html: http://packetstormsecurity.com/files/154231/Pulse-Secure-SSL-VPN-File-Disclosure-NSE.html
- - BadPackets: over-14500 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510: https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/
- - BlackHat USA 2019 (Infiltrating Corporate Intranet Like NSA): https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
- - DevCo Re blog: Attacking SSL VPN – The Golden Pulse Secure SSL VPN RCE Chain: https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/
- - Guacamole mailing list thread: https://lists.apache.org/thread.html/ff5fa1837b6bd1b24d18a42faa75e165a4573dbe2d434910c15fd08a%40%3Cuser.guacamole.apache.org%3E
- - CERT VU 927237 (VU#927237): https://www.kb.cert.org/vuls/id/927237
- - CISA Known Exploited Vulnerabilities Catalog (CVE-2019-11510): https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2019-11510
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:Oct 18, 2020
- CISA KEV Date:Nov 3, 2021
- Days Early:910 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
