Heads up Pulse Secure VPN users! Researchers have found numerous vulnerabilities in Pulse Secure VPN that can have devastating impact on users. One of these bugs could even allow remote code execution attacks.
RCE Vulnerability Discovered
Researchers from GoSecure cybersecurity firm have found multiple vulnerabilities in Pulse Secure VPN including a remote code execution flaw.
Sharing the details in a post, the researchers revealed that they discovered a command injection vulnerability in the VPN. Specifically, the bug existed in the downloadlicenses.cgi file of the admin portal.
Thus, an authenticated attacker could simply exploit the bug by tricking an administrator into clicking on a malicious link. Consequently, the attacker could gain code execution privileges as an admin on the target system.
Although, the researchers explain that exploiting the bug wasn’t trivial. Thanks to the security measures already in place by Pulse Secure.
Nonetheless, with a little effort, it was still possible to exploit the bug.
As the researcher, Jean-Frédéric Gauron, stated in the blog post,
While it does require to be authenticated, the fact that it can be triggered by a simple phishing attack on the right victim should be evidence enough that this vulnerability is not to be ignored.
Following their report, the vendors patched the vulnerability, CVE-2020-8218 with the release of Pulse Connect Secure (PCS) 9.1R8.
Describing the bug in the advisory, the vendors state,
Authenticated attacker via the admin web interface can crafted URI to perform an arbitrary code execution.
They have labeled the vulnerability as a high-severity flaw with a CVSS score of 7.2.
Other Pulse Secure VPN Vulnerabilities Remain Undisclosed
According to Gauron, their team has discovered numerous other vulnerabilities as well in the same VPN client. They found all these flaws ‘during an engagement’ while testing the latest VPN version available at that time.
However, they haven’t disclosed the other vulnerabilities yet. Rather, they will disclose them after they have been fixed, or after the 90-day disclosure period completes.
Besides, they have also planned to share their findings in the upcoming GoSec 2020 virtual conference scheduled for September 23 and 24, 2020.
Let us know your thoughts in the comments.