^{CVE-2019-11510:}Unauthenticated remote attacker can read arbitrary files via a specially crafted URI in Pulse Secure Pulse Connect Secure (PCS) releases to 8.2R12.1, 8.3R7.1, and 9.0R3.4 (inclusive), representing a critical path traversal-based file disclosure vulnerability.

CVE-2019-11510 describes a path traversal vulnerability in Pulse Secure Pulse Connect Secure (PCS) where an unauthenticated remote attacker can send a crafted URI to cause the device to read and disclose arbitrary files. Affected versions include PCS 8.2 prior to 8.2R12.1, PCS 8.3 prior to 8.3R7.1, and PCS 9.0 prior to 9.0R3.4. The flaw is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and has a high impact on confidentiality, integrity, and availability, with a CVSS v3.0 base score of 9.9 (CRITICAL). The vulnerability requires no user interaction and is exploitable over the network with low attack complexity and low privileges. Vendor advisories and multiple third-party analyses document the vulnerability and fixes; organizations running affected PCS appliances should apply the vendor-supplied patches to mitigate exposure.

Overview

Pulse Connect Secure (PCS) contains a critical path traversal vulnerability that enables an unauthenticated remote attacker to read arbitrary files by sending a specially crafted URI. The affected product versions include 8.2 prior to 8.2R12.1, 8.3 prior to 8.3R7.1, and 9.0 prior to 9.0R3.4. The vulnerability impacts confidentiality, integrity, and availability and can be exploited over the network without user interaction, earning a 9.9/10 CVSS v3.0 score. This weakness stems from improper handling of file paths (CWE-22) within PCS, and it has been the subject of multiple advisories and public analyses. Remediation involves applying patched firmware releases provided by Pulse Secure.

Remediation

• Upgrade to the patched firmware releases listed by the vendor: 8.2R12.1, 8.3R7.1, or 9.0R3.4, or later for PCS. This is the primary and most effective remediation.
• If immediate upgrading is not possible, apply the vendor advisory guidance (SA44101) and any interim mitigations provided by Pulse Secure, and monitor for indicators of exploitation.
• Restrict exposure of PCS appliances to trusted networks and, if feasible, limit or block external access to management interfaces to reduce risk until patches can be applied.
• After patching or mitigations, verify the appliance version is updated and monitor logs for any attempted exploitation or anomalous file reads.
• Consider implementing compensating controls such as network-level segmentation, access controls, and ongoing vulnerability management to prevent similar exposures in the future.
• Review and apply future firmware updates promptly and verify that all affected devices have migrated to supported, patched lines.

References

• CVE-2019-11510 — MITRE CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510
• Pulse Secure Advisory SA44101: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
• Pulse Secure Knowledge Base (general): https://kb.pulsesecure.net/?atype=sa
• PSIRT SonicWall vulnerability SNWLID-2019-0010: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
• SecurityFocus BID 108073: http://www.securityfocus.com/bid/108073
• PacketStorm: Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html: http://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html
• PacketStorm NSE: Pulse-Secure-SSL-VPN-File-Disclosure-NSE.html: http://packetstormsecurity.com/files/154231/Pulse-Secure-SSL-VPN-File-Disclosure-NSE.html
• BadPackets: over-14500 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510: https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/
• BlackHat USA 2019 (Infiltrating Corporate Intranet Like NSA): https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
• DevCo Re blog: Attacking SSL VPN – The Golden Pulse Secure SSL VPN RCE Chain: https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/
• Guacamole mailing list thread: https://lists.apache.org/thread.html/ff5fa1837b6bd1b24d18a42faa75e165a4573dbe2d434910c15fd08a%40%3Cuser.guacamole.apache.org%3E
• CERT VU 927237 (VU#927237): https://www.kb.cert.org/vuls/id/927237
• CISA Known Exploited Vulnerabilities Catalog (CVE-2019-11510): https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2019-11510