BY Craig Underhill / ON Oct 20, 2020
Recently I was tasked to conduct an external infrastructure penetration test againt a select few IP addresses of a certain client, nothing out of the ordinary there, but what made this test a little more interesting was that we believed that this client was a victim of the Pulse Connect Secure Abritrary File Read vulnerability, CVE-2019-11510.
As expected during the testing, the Pulse Connect Secure endpoint was patched and no longer exploitable, but after researching the vulnerability and realising just how easy it is to exploit… It left me wondering just how many other companies are still easy pickings for a malicious actor to exploit in the wild?
This is why I decided to follow on from the great work that @bad_packets has done to bring attention to the vast amount of vulnerable endpoints still vulnerable up until March 23rd 2020. You can find his article regarding this here.
I am going to now show just how many Pulse Connect Secure endpoints are still vulnerable as of 23rd September 2020.
Pulse Connect Secure is an industry leading SSL VPN solution from Pulse Secure which is used by over 20,000 companies and organisations worldwide.
CVE-2019-11510 is an Arbitrary File Read vulnerability affecting Pulse Connect Secure endpoints. This can be exploited by an unauthenticated attacker to gain access to sensitive information on the VPN endpoint, including the ability to access private keys and credentials.
If valid credentials are found by an attacker; these could also be used to exploit CVE-2019-11539, which is a remove authenticated command injection vulnerability for Pulse Connect Secure, allowing an attacker to gain a foothold within the target’s internal network.
From the security advisory that was published on April 23rd 2019 from Pulse Secure, it details what versions are vulnerable:
Pulse Connect Secure 9.0R1 - 9.0R3.3
Pulse Connect Secure 8.3R1 - 8.3R7
Pulse Connect Secure 8.2R1 - 8.2R12
Pulse Connect Secure 8.1R1 - 8.1R15
Before we can try and find vulnerable hosts, we first need to gather the IP addresses of as many Pulse Connect Secure endpoints on the internet as possible and determine if they are vulnerable or not; this is where BinaryEdge comes into play as BinaryEdge scans ther entire internet, it allows us to search for specific products, versions etc, like shodan - enabling us to download the data of 42,923 potential Pulse Connect Secure endpoints currently on the internet.
The downloaded data from Binaryedge is in JSON format, allowing us to gather only the data we require by utilising jq
.
jq
is a command-line tool for parsing JSON and works similar to sed
, allowing you to slice, filter and map structured data.
In this case, we want to gather only the IP addresses and ports for each host; the following command will output the contents in the following format - ip:port
:
cat pulse.json | jq -j '.target | .ip, ":", .port, "\n"'
We can also remove any potential duplicates from the output data:
cat pulse.json | jq -j '.target | .ip, ":", .port, "\n"' | wc -l
42923
cat pulse.json | jq -j '.target | .ip, ":", .port, "\n"' | sort -u | wc -l
42915
Once the IP addresses and ports were gathered from the JSON data and placed into their own file, I created a python script that would simply send a proof of concept HEAD
HTTP request to each host.
The reason for using a HEAD
and not a GET
request is because I did not want to download any data as my python script was able to determine if a host was vulnerable or not by simply checking the HTTP response code recieved; a response of 200
meant that the host was vulnerable to CVE-2019-11510.
Due to the ease of exploiting CVE-2019-11510, I will not be releasing the python script I made to scan the hosts for the vulnerability.
This is an example of the output from the python scanning script, listing hosts that are vulnerable:
As of 23rd September 2020, out of the 42,915 Pulse Secure Connect hosts scanned, 736 were found to still be vulnerable to CVE-2019-11510.
The 736 hosts can be exploited by unauthorised attackers to gain access to sensitive information on the VPN endpoint, including the ability to access private keys and credentials; thus also potentially allowing an attacker to exploit the authenticated command injetion vulnerability, CVE-2019-11539 which is also present in Pulse Connect Secure.
There was at least 1 vulnerable host found in 69 different countries, the top 10 countries with the most vulnerable hosts are located here:
Number | Country | Number of Hosts |
---|---|---|
1 | Japan | 150 |
2 | United States | 149 |
3 | South Korea | 81 |
4 | Hong Kong | 45 |
5 | Taiwan | 40 |
6 | China | 26 |
7 | Great Britain | 17 |
= | France | 17 |
= | Spain | 17 |
10 | Thailand | 16 |
There were many individual companies and organisations found to be vulnerable, these included several high profile organisations, including:
To gather additional information on each vulnerable host, I created a python script which utilised the ipinfo.io API to gather the following details of each host:
import requests
import json
def ipinfo(ip):
try:
request = requests.get("https://ipinfo.io/" + ip + "/json?token=XXXXXXXXX")
response = json.loads(request.text)
print(response["country"],file=open('pulse-output-countries.txt','a'))
print(
"IP Address: " + response["ip"] + "\n" +
"Hostname: " + response["hostname"] + "\n" +
"ASN: " + response["asn"]["asn"] + "\n" +
"Company Name: " + response["company"]["name"] + "\n" +
"Company Domain: " + response["company"]["domain"] + "\n" +
"Abuse Email: " + response["abuse"]["email"] + "\n",
file=open('pulse-output-host-info.txt', 'a'))
except KeyError:
pass
def main(filepath):
with open(filepath) as fp:
for line in fp:
parts = line.split(" ")
ip = parts[0]
ipinfo(ip)
if __name__ == "__main__":
filepath = 'pulse-vulnerable-ips.txt'
main(filepath)
Efforts have been made by OnSecurity to get in contact with the companies who are currently vulnerable to this exploit.
The simple answer to this is, Yes.
Even though the vulnerability was given a CVSS score of 10 and that the security advisory of the vulnerability published in April 2019, we have shown that there are hundreds of vulnerable versions of Pulse Secure Connect on the internet today.
With the amount of people working from home during the current COVID crisis, it is more important then ever for organisations to secure their VPN products because as you can see, by running a vulnerable version of Pulse Connect Secure you are essentially leaving the door to your house wide open, allowing anyone to enter it and take whatever they want.
This vulnerability is easily exploitable, but is also easily resolved by upgrading your Pulse Connect Secure endpoint to the most recent version available, which as of 30th September 2020, is version 9.1R8.2
.