Pulse Connect Secure File Read Exploitation Research - (CVE-2019-11510)

BY Craig Underhill / ON Oct 20, 2020

Recently I was tasked to conduct an external infrastructure penetration test againt a select few IP addresses of a certain client, nothing out of the ordinary there, but what made this test a little more interesting was that we believed that this client was a victim of the Pulse Connect Secure Abritrary File Read vulnerability, CVE-2019-11510.

As expected during the testing, the Pulse Connect Secure endpoint was patched and no longer exploitable, but after researching the vulnerability and realising just how easy it is to exploit… It left me wondering just how many other companies are still easy pickings for a malicious actor to exploit in the wild?

This is why I decided to follow on from the great work that @bad_packets has done to bring attention to the vast amount of vulnerable endpoints still vulnerable up until March 23rd 2020. You can find his article regarding this here.

I am going to now show just how many Pulse Connect Secure endpoints are still vulnerable as of 23rd September 2020.

What is Pulse Connect Secure?

Pulse Connect Secure is an industry leading SSL VPN solution from Pulse Secure which is used by over 20,000 companies and organisations worldwide.

What is CVE-2019-11510?

CVE-2019-11510 is an Arbitrary File Read vulnerability affecting Pulse Connect Secure endpoints. This can be exploited by an unauthenticated attacker to gain access to sensitive information on the VPN endpoint, including the ability to access private keys and credentials.

If valid credentials are found by an attacker; these could also be used to exploit CVE-2019-11539, which is a remove authenticated command injection vulnerability for Pulse Connect Secure, allowing an attacker to gain a foothold within the target’s internal network.

What Pulse Connect Secure versions are affected?

From the security advisory that was published on April 23rd 2019 from Pulse Secure, it details what versions are vulnerable:

Pulse Connect Secure 9.0R1 - 9.0R3.3
Pulse Connect Secure 8.3R1 - 8.3R7
Pulse Connect Secure 8.2R1 - 8.2R12
Pulse Connect Secure 8.1R1 - 8.1R15

Locating vulnerable hosts

Gather and download all the data

Before we can try and find vulnerable hosts, we first need to gather the IP addresses of as many Pulse Connect Secure endpoints on the internet as possible and determine if they are vulnerable or not; this is where BinaryEdge comes into play as BinaryEdge scans ther entire internet, it allows us to search for specific products, versions etc, like shodan - enabling us to download the data of 42,923 potential Pulse Connect Secure endpoints currently on the internet.

Sort the data for testing

The downloaded data from Binaryedge is in JSON format, allowing us to gather only the data we require by utilising jq.

jq is a command-line tool for parsing JSON and works similar to sed, allowing you to slice, filter and map structured data.

In this case, we want to gather only the IP addresses and ports for each host; the following command will output the contents in the following format - ip:port:

cat pulse.json | jq -j '.target | .ip, ":", .port, "\n"'

We can also remove any potential duplicates from the output data:

cat pulse.json | jq -j '.target | .ip, ":", .port, "\n"' | wc -l 
42923

cat pulse.json | jq -j '.target | .ip, ":", .port, "\n"' | sort -u | wc -l 
42915

Scanning the hosts for CVE-2019-11510

Once the IP addresses and ports were gathered from the JSON data and placed into their own file, I created a python script that would simply send a proof of concept HEAD HTTP request to each host.

The reason for using a HEAD and not a GET request is because I did not want to download any data as my python script was able to determine if a host was vulnerable or not by simply checking the HTTP response code recieved; a response of 200 meant that the host was vulnerable to CVE-2019-11510.

Due to the ease of exploiting CVE-2019-11510, I will not be releasing the python script I made to scan the hosts for the vulnerability.

This is an example of the output from the python scanning script, listing hosts that are vulnerable:

The findings from the scan

How many hosts are vulnerable?

As of 23rd September 2020, out of the 42,915 Pulse Secure Connect hosts scanned, 736 were found to still be vulnerable to CVE-2019-11510.

The 736 hosts can be exploited by unauthorised attackers to gain access to sensitive information on the VPN endpoint, including the ability to access private keys and credentials; thus also potentially allowing an attacker to exploit the authenticated command injetion vulnerability, CVE-2019-11539 which is also present in Pulse Connect Secure.

What countries have the most vulnerable hosts?

There was at least 1 vulnerable host found in 69 different countries, the top 10 countries with the most vulnerable hosts are located here:

Number Country Number of Hosts
1 Japan 150
2 United States 149
3 South Korea 81
4 Hong Kong 45
5 Taiwan 40
6 China 26
7 Great Britain 17
= France 17
= Spain 17
10 Thailand 16

Several hosts found were from high profile organisations

There were many individual companies and organisations found to be vulnerable, these included several high profile organisations, including:

  • A foreign governement department
  • A US critical infrastructure provider
  • A global 500 company
  • A public university
  • Mutliple renowned telecommunications companies
  • A well-known gaming development company

Python script used to gather additonal details on each vulnerable host

To gather additional information on each vulnerable host, I created a python script which utilised the ipinfo.io API to gather the following details of each host:

  • IP address
  • Country of origin
  • Hostname
  • ASN
  • Company name
  • Company domain
  • Abuse email
import requests
import json

def ipinfo(ip):
    try:
        request = requests.get("https://ipinfo.io/" + ip + "/json?token=XXXXXXXXX")
        response = json.loads(request.text)
        print(response["country"],file=open('pulse-output-countries.txt','a'))
        print(
            "IP Address: " + response["ip"] + "\n" + 
            "Hostname: " + response["hostname"] + "\n" + 
            "ASN: " + response["asn"]["asn"] + "\n" +
            "Company Name: " + response["company"]["name"] + "\n" + 
            "Company Domain: " + response["company"]["domain"] + "\n" +
            "Abuse Email: " + response["abuse"]["email"] + "\n", 
            file=open('pulse-output-host-info.txt', 'a'))
    except KeyError:
        pass

def main(filepath): 
    with open(filepath) as fp:
        for line in fp:
            parts = line.split(" ")
            ip = parts[0]
            ipinfo(ip)

if __name__ == "__main__": 
    filepath = 'pulse-vulnerable-ips.txt'
    main(filepath)

Informing the companies who are vulnerable

Efforts have been made by OnSecurity to get in contact with the companies who are currently vulnerable to this exploit.

Is the vulnerability still being exploited today?

The simple answer to this is, Yes.

Even though the vulnerability was given a CVSS score of 10 and that the security advisory of the vulnerability published in April 2019, we have shown that there are hundreds of vulnerable versions of Pulse Secure Connect on the internet today.

Examples of CVE-2019-11510 being exploited by malicious actors

Conclusion

With the amount of people working from home during the current COVID crisis, it is more important then ever for organisations to secure their VPN products because as you can see, by running a vulnerable version of Pulse Connect Secure you are essentially leaving the door to your house wide open, allowing anyone to enter it and take whatever they want.

This vulnerability is easily exploitable, but is also easily resolved by upgrading your Pulse Connect Secure endpoint to the most recent version available, which as of 30th September 2020, is version 9.1R8.2.

References

Top Articles