CVE-2020-11582

06.04.2020, 21:15

An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, launches a TCP server that accepts local connections on a random port. This can be reached by local HTTP clients, because up to 25 invalid lines are ignored, and because DNS rebinding can occur. (This server accepts, for example, a setcookie command that might be relevant to CVE-2020-11581 exploitation.)

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	ADJACENT_NETWORK	LOW	NONE	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 34%

Vendor	Product	Version
pulsesecure	pulse_connect_secure	𝑥 ≤ 2020-04-06
pulsesecure	pulse_policy_secure	-

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-668 - Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

References

https://git.lsd.cat/g/pulse-host-checker-rce

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44426

https://git.lsd.cat/g/pulse-host-checker-rce

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44426