13 vulnerabilities in Pulse Connect Secure and Pulse Policy Secure SSL VPN

Specialists in a pentest training course have revealed the finding of 13 vulnerabilities in Pulse Connect Secure and Pulse Policy Secure, the virtual private network (VPN) and remote access solutions from Pulse Secure. According to the report, successful exploitation of these flaws would allow threat actors to execute malicious code, perform cross-site scripting attacks, among other attack variants.

The flaws are found in the following versions of the affected products:

  • Press Connect Secure: 9.1R1, 9.1R2, 9.1R3, 9.1R4, 9.1R4.1, 9.1R4.2, 9.1R4.3, 9.1R5, 9.1R6, 9.1R7
  • Press Policy Secure: 9.1R1, 9.1R2, 9.1R3, 9.1R3.1, 9.1R4, 9.1R4.1, 9.1R4.2, 9.1R5, 9.1R6, 9.1R7

Below is a brief description of the reported flaws, in addition to their respective scores and identification keys according to the Common Vulnerability Scoring System (CVSS).

CVE-2019-11507: Insufficient disinfection of user input in Application Launcher allows cross-site scripts attacks (XSS) to be deployed. Remote hackers can trick a target user into executing arbitrary HTML, completing the attack.

A successful attack would lead to phishing scenarios, arbitrary downloads, modification of the appearance of a website, among others. The flaw received a score of 5.3/10, mentioned specialists of the pentest training course.

CVE-2018-19519: The print_prefix feature presents a flaw that would allow remote threat actors to obtain sensitive information on the system and even deploy denial of service (DoS) attacks. Malicious hackers could trick the victim into executing a tcpdump command on a .pcap file, which sends malicious information and triggers a buffer overload, leading to the DoS condition.

This is a low severity flaw and received a score of 6.2/10; it is worth mentioning that there is a public exploit for this vulnerability.

CVE-2020-8206: A flaw to process authentication requests on affected products would allow remote hackers to bypass authentication mechanisms; attackers can dodge Google TOTP if credentials are not adequately protected.

This is a medium severity vulnerability and received a score of 6.2/10.

CVE-2020-8218: This flaw exists due to incorrect input validation in the Management Panel of Pulse Secure products that would allow shell commands to be executed on the target system.

Threat actors could pass specially designed data to the application and complete code execution. The experts of the pentest training course assigned this vulnerability a score of 6.3/10.

CVE-2020-8221: An input validation error when processing directory traversal sequences in the management pane. The flaw received a score of 4.3/10 on the CVSS scale. 

CVE-2020-8222: An input validation error when processing directory crossovers in the management interface allows threat actors to perform directory attacks. The flaw received a score of 4.3/10.

CVE-2020-8219: Affected applications do not impose appropriate security restrictions, allowing remote hackers to scale privileges on the system. The flaw received a score of 6.3/10.

CVE-2020-8220: Incorrect input validation when processing user-provided entries from the web interface might trigger DoS conditions. The vulnerability received a score of 4.3/10.

CVE-2020-12880: Inadequate security restrictions on these products allow threat actors to scale privileges on the system. Exploiting this flaw requires physical access to the target system.

CVE-2020-8204: Insufficient disinfection of user-provided data that is passed via URL to the PSAL page allows remote hackers to execute XSS attacks. The flaw received a score of 5.3/10.

CVE-2020-8217: Insufficient description of user input through the URL used for Citrix ICA allows the deployment of XSS attacks. The vulnerability received a score of 5.3/10.

CVE-2020-8216: Improper access restrictions on affected software would allow threat actors to gain unauthorized access; the vulnerability received a score of 3.8/10.

CVE-2020-15408: Inadequate access restrictions allow remote hackers to gain unauthorized access to restricted features on the target system. The flaw received a score of 3.8/10.

While most of these flaws can be exploited remotely by unauthenticated threat actors, experts mention that no cases of active exploitation have been detected. Updates are ready, so affected deployment administrators are encouraged to install them as soon as possible.

For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.