CVE-2019-11541: Public KB - SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure

The solution for these vulnerabilities is to upgrade your Pulse Connect Secure and Pulse Policy Secure server software version to the corresponding version that has the fix. The following table provides guidance on the software you should deploy depending on current software version.

If the PCS/PPS version is installed:

Then deploy this version (or later)
****to resolve the issue:****

Expected Release

Notes (if any)

Pulse Connect Secure 9.0RX

Pulse Connect Secure 9.0R3.4 & 9.0R4

Available Now

Pulse Connect Secure 8.3RX

Pulse Connect Secure 8.3R7.1

Available Now

Pulse Connect Secure 8.2RX

Pulse Connect Secure 8.2R12.1

Available Now

Pulse Connect Secure 8.1RX

Pulse Connect Secure 8.1R15.1

Available Now

Pulse Policy Secure 9.0RX

Pulse Policy Secure 9.0R3.2 & 9.0R4

Available Now

Pulse Policy Secure 5.4RX

Pulse Policy Secure 5.4R7.1

Available Now

Pulse Policy Secure 5.3RX

Pulse Policy Secure 5.3R12.1

Available Now

Pulse Policy Secure 5.2RX

Pulse Policy Secure 5.2R12.1

Available Now

Pulse Policy Secure 5.1RX

Pulse Policy Secure 5.1R15.1

Available Now

Post-Upgrade Recommendations:

Pulse Secure strongly recommends the following steps after upgrading to a patched version of the software:

• Any end user and administrator passwords used to login to the device should be changed.
• Any service account passwords stored on the device (LDAP, RADIUS, AD, etc.) should be changed.
• Replace device certificates(s) by generating a new certificate signing request (CSR) on the device.
• If TOTP Auth Server is configured on the appliance, administrator needs to reset the TOTP users to register again. Refer KB41050 for details.
• Disable roaming session or limit to subnet for non-roaming user roles:
  This feature ensures that if a session cookie is stolen it cannot be reused by a different IP address than the user who first logged in. This lowers the possibility of a session being stolen and reused by an attacker. This would require the end user to re-authenticate when the source IP address is changed.

1. Users: (Users --> User Roles --> <role name> --> General --> Session Options: Roaming Session, select “Disabled”).
2. Admins: (Administrators --> Admin Roles --> <role name> --> General --> Session Options: Roaming Session, select “Disabled”).

Exploitation and Announcements:

These vulnerabilities described in this advisory was found and properly disclosed by security researchers on March 22, 2019.

As of Jan 2020, Pulse Secure PSIRT is aware of attempted exploitation of this vulnerability in the wild related to REvil ransomware. Pulse Secure is strongly recommending to upgrade to the patched software as soon as possible.

Frequently Asked Questions (FAQ):

Question 1: Can I delay the upgrade and upgrade to the next major release instead?
Answer: No,

Pulse Secure recommends to upgrade to the corresponding version with the fix as soon as possible.

Question 2: Where can I find and download the security patches for CVE-2019-11510 vulnerability?
Answer: All security patches are available from the Download Center at https://my.pulsesecure.net. For instructions to download software, please refer to KB40028 - [Customer Support Tools] How to download software / firmware for Pulse Secure products using the Licensing & Download Center at my.pulsesecure.net

Question 3: Will the device reboot after upgrading to the fix version?
Answer: Yes, once you upgrade your device it will automatically get rebooted.

Question 4: Do I need to upgrade client components (including Pulse Desktop Client, Network Connect, WSAM, Terminal Services) on my Windows, Mac, Linux, Android, or IOS endpoints?
Answer:

For Pulse Desktop Client or Pulse Mobile (for iOS and Android)

• Upgrade of these client components are not required.

Note: Pulse Desktop Clients will upgrade on the end points if the PCS/PPS server side configuration is set to “Auto-Upgrade” with a higher Pulse Desktop Client package set to Active. To avoid upgrading the Pulse Desktop Client, please upload the equivalent Pulse Desktop Client version and mark as Active.

For WSAM, Network Connect, Host Checker, and Terminal Services customers

• The client will be upgraded as part of the server upgrade. If client machines do not have administrator privileges, ensure Pulse Secure Installer Service is installed or have the required privileges/rights.

Question 5: ****How do I upgrade Pulse Connect Secure / Pulse Policy Secure to resolve this vulnerability?****
Answer: Download a fixed version of the Pulse Connect Secure or Pulse Policy Secure available from the Licensing & Download Center at https://my.pulsesecure.net. For upgrade documentation, please refer to:

• Upgrade PCS Cluster
• Upgrade PCS Standalone Device

For additional FAQ and upgrade recommendations, refer to KB23051.

Question 6: Is there any workaround to fix this vulnerability temporarily?
Answer: No, there is no workaround. Pulse Secure is strongly recommending for administrator to upgrade their devices to fixed versions.

Question 7: I do not have access to my.pulsesecure.net to download the recommended PCS/PPS version.
Answer: Please refer KB40031 to Onboarding at my.pulsesecure.net. If you face any issue, please contact Pulse Secure Global Support Center.

Question 8: After upgrading to the patched version, Qualys and Tenable is still showing the device as vulnerable?
Answer: Qualys and Tenable are parsing the version number and does not properly confirm the issue. Pulse Secure is working with both vendors to properly detect the issue. If the device is running a patched version, CVE-2019-11510 is no longer applicable.

Question 9: Are there any IOCs (indicators of compromise) that we can search for within our logs to detect exploit attempts?
Answer: The U.S. Cyber and Infrastructure Security Agency (CISA) released a Python tool called “Check Your Pulse.” The tool will analyze your downloaded PCS logs for IOCs and alert on any matches. It’s important to note that unsuccessful exploit attempts against patched servers will continue to show up in the server logs. Therefore, CISA’s “Check Your Pulse” tool will alert on failed exploit attempts against patched instances.

The link to “Check Your Pulse” above can be expanded out to the full URL: https://github.com/cisagov/check-your-pulse

Question 10: FireEye recently announced a breach relating to their red-team tools and techniques which include the Pulse Secure CVE.
Ans: On December 8th cybersecurity vendor FireEye reported a breach of their network and data exfiltration which included their internally developed Red Team tools. FireEye took the step of publishing details of these tools in a GitHub repository to allow other vendors to protect against their use by potential adversaries.

In the F5 Security Advisory, one of these targeted vulnerabilities includes a Pulse Secure vulnerability. On April 24th, 2019, Pulse Secure released security fixes for a critical Remote Code Execution (RCE) vulnerability, CVE-2019-11510, for Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS) appliances.

F5 Advisory is available here: https://support.f5.com/csp/article/K43840335

Document History:
April 24, 2019 - Initial advisory posted and software was posted to the Download Center.
April 25, 2019 - CVE-2019-11510, CVE-2019-11509, CVE-2019-11508, CVE-2019-11507, CVE-2019-11543, CVE-2019-11542, CVE-2019-11541, CVE-2019-11540, CVE-2019-11539, CVE-2019-11538 were assigned. Workaround provided for CVE-2019-11508.
July 26, 2019 - Adding information about 9.1RX
July 30, 2019 - Change description verbiage for CVE-2019-11538
August 17, 2019 - Updated details for CVE-2019-11510 as 8.1RX and below are not directly impacted
August 20, 2019 - Updated verbiage for the description of CVE-2019-11540 and CVE-2019-11510
October 17, 2019 - Updated the recommendation to reset the TOTP Users.
Jan 13, 2020 - Updated verbiage in exploitation and public announcements section
April 17, 2020 - Updated FAQ Details
April 20, 2020 - Updated Post-Upgrade Recommendation
August 7, 2020 - Updated Post-Upgrade Recommendation
December 15, 2020 - Updated FAQ Details

LEGAL DISCLAIMER

• THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HEREFROM IS AT THE USER’S OWN RISK. PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
• A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS. THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.