Vulnerability Details CVE-2019-11539
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.939
EPSS Ranking 99.9%
CVSS Severity
CVSS v3 Score 8.0
CVSS v2 Score 6.5
Proposed Action
Ivanti Pulse Connect Secure and Policy Secure allows an authenticated attacker from the admin web interface to inject and execute commands.
Ransomware Campaign
Known
References
- http://packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/155277/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
- http://packetstormsecurity.com/files/162092/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
- http://www.securityfocus.com/bid/108073
- https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/
- https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
- https://www.kb.cert.org/vuls/id/927237
- http://packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/155277/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
- http://packetstormsecurity.com/files/162092/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
- http://www.securityfocus.com/bid/108073
- https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/
- https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
- https://www.kb.cert.org/vuls/id/927237
Products affected by CVE-2019-11539
-
cpe:2.3:a:ivanti:connect_secure:8.1
-
cpe:2.3:a:ivanti:connect_secure:8.2
-
cpe:2.3:a:ivanti:connect_secure:8.3
-
cpe:2.3:a:ivanti:connect_secure:9.0
-
cpe:2.3:a:ivanti:policy_secure:9.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r1.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r1.1
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r10.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r11.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r11.1
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r12.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r12.1
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r13.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r14.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r2.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r2.1
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r3.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r3.2
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r4.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r5.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r6.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r7.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r8.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r9.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r9.1
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r1.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r10.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r11.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r2.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r3.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r3.2
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r4.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r5.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r6.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r7.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r7.1
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r8.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r9.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r9.1
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2rx
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r1.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r1.1
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r10.
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r11.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r12.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r2.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r3.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r3.1
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r4.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r4.1
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r5.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r5.1
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r5.2
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r6.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r7.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r8.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r8.1
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r8.2
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r9.0
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3rx
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4r1
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4r2
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4r2.1
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4r3
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4r4
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4r5
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4r5.2
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4r6
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4r6.1
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4r7
-
cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4rx