CVE-2019-11510
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5Description
In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .
Analysis
Pulse Secure Pulse Connect Secure contains a pre-authentication arbitrary file reading vulnerability that allows unauthenticated remote attackers to read any file from the VPN appliance, including cached credentials and session tokens.
Technical Context
The CWE-22 path traversal vulnerability allows unauthenticated requests to read arbitrary files by sending a crafted URI to the VPN web interface. Critical files exposed include /etc/passwd, /etc/shadow (encrypted), and most importantly the session database containing cached AD credentials in plaintext and active VPN session cookies.
Affected Products
['Pulse Secure Pulse Connect Secure 8.2 before 8.2R12.1', 'Pulse Secure PCS 8.3 before 8.3R7.1', 'Pulse Secure PCS 9.0 before 9.0R3.4']
Remediation
Patch immediately. After patching, rotate ALL Active Directory credentials that were cached on the VPN appliance. Revoke all active VPN sessions. Enable MFA for VPN access. Review authentication logs for unauthorized access using stolen credentials.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today