HKCert
Security Blog

Critical Pulse Secure VPN Vulnerability (CVE-2019-11510) Alert

Release Date: 06 / 09 / 2019
Last Update: 06 / 09 / 2019

Bad Packets recently stated in a security blog [1] that they detected an internet-wide opportunistic scanning activity targeting Pulse Secure VPN endpoints vulnerable to CVE-2019-11510 [2]. This arbitrary file reading vulnerability allows sensitive information disclosure, enabling unauthenticated attackers to access private keys and user password. Further exploitation can lead to remote command injection (CVE-2019-11539) and allow attackers to gain access to the private VPN network and seize control (CRITICAL RISK).

Hong Kong computers are not spared from this vulnerability. According to information from a reliable source, over 150 local IP addresses have been affected by it. HKCERT has already notified the corresponding network providers and organisations to take appropriate remedial action.

The affected products include:

  • Pulse Connect Secure 9.0RX
  • Pulse Connect Secure 8.3RX
  • Pulse Connect Secure 8.2 RX

 

The Pulse Secure Security Advisory SA44101 [3] has provided information on this vulnerability. Security fixes are available for different versions of software. Users are recommended to upgrade to the corresponding version with the fix ASAP.

Notes:
[1] https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510
[3] https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101