On August 22, BadPackets experts observed a mass scanning activity targeting Pulse Secure “Pulse Connect Secure” VPN endpoints vulnerable to CVE-2019-11510. Recently another popular
The CVE-2019-11510 flaw in Pulse Connect Secure is a critical arbitrary file read vulnerability.
“Unauthenticated remote attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability.” reads the advisory.
The vulnerability could be easily exploitable by using publicly available proof-of-concept code.
The scanning activity detected by the
Attackers attempted to download the “etc/passwd” file that contains the
“A successful “HTTP 200/OK” response to this scan indicates the VPN endpoint is vulnerable to further attacks. Given the ongoing scanning activity, it’s likely the attackers have enumerated all publicly accessible hosts vulnerable to CVE-2019-11510.” reads the post published by
Most of the vulnerable hosts were in the U.S.
The researchers also analyzed the distribution of the vulnerable hosts by industry and discovered that the flaw affects hosts in:
BadPackers did not disclose the list of affected organizations to avoid that threat actors will target them.
“Pulse Secure VPN administrators need to immediately ensure they’re not using versions of the “Pulse Connect Secure” server software vulnerable to CVE-2019-11510. Pulse Secure has provided guidance on how to update to fixed versions.” concludes the post.
(SecurityAffairs – CVE-2019-11510, hacking)