Reset Search
 

 

Article

SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX

« Go Back

Information

 
Product AffectedPulse Connect Secure, Pulse Policy Secure
Problem
Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS).  This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform a remote arbitrary file access on the Pulse Connect Secure gateway. This advisory also includes a remote code execution vulnerability that can allow an authenticated administrator to perform remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways. Many of these vulnerabilities have a critical CVSS score and pose significant risk to your deployment. We strongly recommend to upgrade to the corresponding version with the fix as soon as possible.

CVE have been requested and will be updated in the future.

Refer to KB43892 - What releases will Pulse Secure apply fixes to resolve security vulnerabilities? per our End of Engineering (EOE) and End of Life (EOL) policies.

The table below provides details of the vulnerabilities and the affected and not affected products:

Affected Versions:
  • Pulse Connect Secure 9.0R1 - 9.0R3.3
  • Pulse Connect Secure 8.3R1 - 8.3R7
  • Pulse Connect Secure 8.2R1 - 8.2R12
  • Pulse Connect Secure 8.1R1 - 8.1R15
  • Pulse Policy Secure 9.0R1 - 9.0R3.3
  • Pulse Policy Secure 5.4R1 - 5.4R7
  • Pulse Policy Secure 5.3R1 - 5.3R12
  • Pulse Policy Secure 5.2R1 - 5.2R12
  • Pulse Policy Secure 5.1R1 - 5.1R15
Not Affected:
  • Pulse Connect Secure and Pulse Policy Secure 9.1R1 and above
  • All patched versions stated in the Solution Section
 
CVECVSS Score (V3)SummaryProduct Affected
CVE-2019-1151010 Critical 
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Unauthenticated attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability.Pulse Connect Secure:
  • 9.0RX
  • 8.3RX
  • 8.2RX
Note: 8.1RX and below are not directly impacted
CVE-2019-115089.9 Critical
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
A vulnerability in the Network File Share (NFS) of Pulse Connect Secure allows an authenticated end-user attacker to upload a malicious file to write arbitrary files to the local system.Pulse Connect Secure:
  • 9.0RX
  • 8.3RX
  • 8.2RX
  • 8.1RX
 9.9 Critical
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Multiple vulnerabilities are patched for Ghostscript. 
CVE-2018-16513
CVE-2018-18284
CVE-2018-15911
CVE-2018-15910
CVE-2018-15909
CVE-2018-16513
Pulse Connect Secure:
  • 9.0RX
  • 8.3RX
  • 8.2RX
CVE-2019-115408.3 High
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
A vulnerability in the Pulse Secure could allow an unauthenticated, remote attacker to conduct a (end user) session hijacking attack.Pulse Connect Secure:
  • 9.0RX
  • 8.3RX
Pulse Policy Secure:
  • 9.0RX
  • 5.4RX
CVE-2019-115438.3 HIGH CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:HA XSS issue found the admin web console. Pulse Secure Pulse Connect Secure (PCS) 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, and 5.2RX before 5.2R12.1.Pulse Connect Secure 
  • 9.0RX
  • 8.3RX
  • 8.1RX
Pulse Policy Secure
  • 9.0RX
  • 5.4RX
  • 5.2RX
CVE-2019-115418.3 High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:LUsers using SAML authentication with Reuse Existing NC (Pulse) Session option may see authentication leaks.Pulse Connect Secure:
  • 9.0RX
  • 8.3RX
  • 8.2RX
CVE-2019-115428.0 High
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Authenticated attacker via the admin web interface can send a specially crafted message resulting in a stack buffer overflow.Pulse Connect Secure:
  • 9.0RX
  • 8.3RX
  • 8.2RX
  • 8.1RX
Pulse Policy Secure:
  • 9.0RX
  • 5.4RX
  • 5.3RX
  • 5.2RX
  • 5.1RX
CVE-2019-115398.0 High
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Authenticated attacker via the admin web interface allow attacker to inject and execute command injectionPulse Connect Secure:
  • 9.0RX
  • 8.3RX
  • 8.2RX
  • 8.1RX
Pulse Policy Secure:
  • 9.0RX
  • 5.4RX
  • 5.3RX
  • 5.2RX
  • 5.1RX
CVE-2019-115387.7 High
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
A vulnerability in the Network File Share (NFS) of Pulse Connect Secure could allow an authenticated end-user attacker to access the contents of arbitrary files on the local file system.Pulse Connect Secure:
  • 9.0RX
  • 8.3RX
  • 8.2RX
  • 8.1RX
CVE-2019-115096.4 Medium
CVSS v3 AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Authenticated attacker via the admin web interface can exploit this issue to execute arbitrary code on the Pulse Secure appliance.Pulse Connect Secure:
  • 9.0RX
  • 8.3RX
  • 8.2RX
  • 8.1RX
Pulse Policy Secure:
  • 9.0RX
  • 5.4RX
  • 5.3RX
  • 5.2RX
  • 5.1RX
CVE-2019-115075.8 Medium CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:LA XSS issue has been found in Pulse Secure Application Launcher page. Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1, and 9.0.x before 9.0R3.Pulse Connect Secure:
  • 9.0RX
  • 8.3RX

 
Solution
The solution for these vulnerabilities is to upgrade your Pulse Connect Secure and Pulse Policy Secure server software version to the corresponding version that has the fix. The following table provides guidance on the software you should deploy depending on current software version. 
 
If the PCS/PPS version is installed:Then deploy this version (or later)
to resolve the issue:
Expected ReleaseNotes (if any)
Pulse Connect Secure 9.0RX
Pulse Connect Secure 9.0R3.4 & 9.0R4Available Now 
Pulse Connect Secure 8.3RXPulse Connect Secure 8.3R7.1Available Now 
Pulse Connect Secure 8.2RXPulse Connect Secure 8.2R12.1Available Now 
Pulse Connect Secure 8.1RXPulse Connect Secure 8.1R15.1Available Now 
Pulse Policy Secure 9.0RXPulse Policy Secure 9.0R3.2 & 9.0R4Available Now 
Pulse Policy Secure 5.4RXPulse Policy Secure 5.4R7.1Available Now 
Pulse Policy Secure 5.3RXPulse Policy Secure 5.3R12.1Available Now 
Pulse Policy Secure 5.2RXPulse Policy Secure 5.2R12.1Available Now 
Pulse Policy Secure 5.1RXPulse Policy Secure 5.1R15.1Available Now 
 

Exploitation and Announcements:

These vulnerabilities described in this advisory was found and properly disclosed by security researchers on March 22, 2019.

Pulse Secure PSIRT is aware of existence of exploit code that can demonstrate these vulnerabilities. Pulse Secure is strongly recommending to upgrade to the patched software as soon as possible.
 

Frequently Asked Questions (FAQ):


Question 1: Can I delay the upgrade and upgrade to the next major release instead?
Answer: Some of these vulnerabilities have a critical CVSS score and pose significant risk to your deployment. Pulse Secure recommends to upgrade to the corresponding version with the fix as soon as possible. 

Question 2: Do I need to reboot my appliance after upgrading to the fix version?
Answer: Yes, once you upgrade your device it will automatically get rebooted. 

Question 3: Do I need to upgrade client components (including Pulse Desktop Client) on my Windows, Mac, Linux, Android, or IOS endpoints?
Answer: The vulnerabilities are specific to PCS/PPS server code. The client side components such as Legacy WSAM, Network Connect, Host Checker, and Terminal Services will be upgraded as part of the upgrade. The client machines need to have the Pulse installer service installed or have the required privileges/rights.

Pulse Desktop Client and Pulse Mobile (for iOS and Android) does not require an upgrade to patch the following issues.  

Note: Pulse Desktop Clients will upgrade on the end points if the PCS/PPS server side configuration is set to “Auto-Upgrade” with a higher Pulse Desktop Client package set to Active. To avoid upgrading the Pulse Desktop Client, please upload the equivalent Pulse Desktop Client version and mark as Active.

Question 4: How do I upgrade Pulse Connect Secure / Pulse Policy Secure to resolve this vulnerability?
Answer:  Download a fixed version of the Pulse Connect Secure or Pulse Policy Secure available from the Licensing & Download Center at https://my.pulsesecure.net.  For upgrade documentation, please refer to:
For additional FAQ and upgrade recommendations, refer to KB23051.

Question 5: Is there any workaround to fix this vulnerability temporarily?
Answer: No, there is no workaround. Pulse Secure is strongly recommending for administrator to upgrade their devices to fixed versions.

Question 6:  I do not have access to my.pulsesecure.net to download the recommended PCS/PPS version.
Answer: Please refer KB40031 to Onboarding at my.pulsesecure.net. If you face any issue, please contact Pulse Secure Global Support Center.

Document History:
April 24, 2019 - Initial advisory posted
April 25, 2019 - CVE-2019-11510, CVE-2019-11509, CVE-2019-11508, CVE-2019-11507, CVE-2019-11543, CVE-2019-11542, CVE-2019-11541, CVE-2019-11540, CVE-2019-11539, CVE-2019-11538 were assigned. Workaround provided for CVE-2019-11508.
July 26, 2019 - Adding information about 9.1RX
July 30, 2019 - Change description verbiage for CVE-2019-11538
August 17, 2019 - Updated details for CVE-2019-11510 as 8.1RX and below are not directly impacted
August 20, 2019 - Updated verbiage for the description of CVE-2019-11540

LEGAL DISCLAIMER
  • THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.  USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HEREFROM IS AT THE USER’S OWN RISK.  PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
  • A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS.  THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.
Workaround
CVE-2019-11508 and CVE-2019-11538 can be mitigated by disabling File Share feature on the Pulse Connect Secure device.

There are no workarounds that address the other vulnerabilities. 
Implementation
Related Links
CVSS Score
Risk Assessment
Acknowledgements
  • Orange Tsai and Meh Chang from DEVCORE research team
  • Jake Valletta from FireEye
Alert TypeSA - Security Advisory
Risk Level 
Attachment 1 
Attachment 2 
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255