Pulsesecure Pulse Connect Secure 8.1 Remote Code Execution Vulnerability

Summary

In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 and Pulse Policy Secure (PPS) before 5.1R15.1, 5.2 before 5.2R12.1, 5.3 before 5.3R15.1, 5.4 before 5.4R7.1, and 9.0 before 9.0R3.2, an authenticated attacker (via the admin web interface) can exploit Incorrect Access Control to execute arbitrary code on the appliance.

Credit:

The information has been provided by Jake Valletta

The original article can be found at: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/


Details

Pulse Connect Secure is prone to a remote code-execution vulnerability.This allows a remote attacker to exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts may result in a denial-of-service condition. 

Vulnerable Systems:

  • Pulsesecure Pulse Connect Secure 8.1
  • Pulsesecure Pulse Connect Secure 8.2
  • Pulsesecure Pulse Connect Secure 8.3
  • Pulsesecure Pulse Connect Secure 9.0
  • Pulsesecure Pulse Connect Secure 5.2
  • Pulsesecure Pulse Connect Secure 5.4

CVE Information:

CVE-2019-11509

Disclosure Timeline:
Publish Date:06/03/2019

Categories: News