Critical Pulse Secure VPN Vulnerability (CVE-2019-11510) Alert

Bad Packets recently stated in a security blog [1] that they detected an internet-wide opportunistic scanning activity targeting Pulse Secure VPN endpoints vulnerable to CVE-2019-11510 [2]. This arbitrary file reading vulnerability allows sensitive information disclosure, enabling unauthenticated attackers to access private keys and user password. Further exploitation can lead to remote command injection (CVE-2019-11539) and allow attackers to gain access to the private VPN network and seize control (CRITICAL RISK).

Hong Kong computers are not spared from this vulnerability. According to information from a reliable source, over 150 local IP addresses have been affected by it. HKCERT has already notified the corresponding network providers and organisations to take appropriate remedial action.

The affected products include:

• Pulse Connect Secure 9.0RX
• Pulse Connect Secure 8.3RX
• Pulse Connect Secure 8.2RX
• Pulse Connect Secure 8.1RX
• Pulse Policy Secure 9.0RX
• Pulse Policy Secure 5.4RX
• Pulse Policy Secure 5.3RX
• Pulse Policy Secure 5.2RX
• Pulse Policy Secure 5.1RX

The Pulse Secure Security Advisory SA44101 [3] has provided information on this vulnerability. Security fixes are available for different versions of software. Users are recommended to upgrade to the corresponding version with the fix ASAP.

[Updated 8-Oct-2019]: We noticed these vulnerabilities were reported being used in scattered attacks. [4][5]

Notes:
[1] https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510
[3] https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
[4] https://www.us-cert.gov/ncas/current-activity/2019/10/04/vulnerabilities-exploited-multiple-vpn-applications
[5] https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities