Pulse Secure “Pulse Connect Secure” VPN describes itself as:
a seamless, cost-effective, SSL VPN solution for remote and mobile users from any web-enabled device to corporate resources
So, it's no surprise it is used by Enterprises but also Governments around the world.
On August 22, 2019, our honeypots started detecting mass scanning activity targeting Pulse Secure “Pulse Connect Secure” VPN server endpoints vulnerable to CVE-2019-11510. This vulnerability was addressed by Pulse Secure on 24th April 2019.
In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .
In a summary, it allows unauthenticated attackers to read sensitive information like private keys and user passwords; Having access to those credentials, attackers could then take advantage of CVE-2019-11539, allowing attackers to gain access inside private VPN networks.
In the last week of August we ran a worldwide scan to understand the versions of the exposed Pulse Secure VPN Endpoints. Based on a simple HTTPS Request on port 443, this is the data gathered:
Query: port:443 AND DSSETUP_CLIENT_VERSION_PULSE
Top 20 Pulse VPN Versions Detected
| Version | Count |
|---|---|
| 8.3.7.1933 | 12318 |
| 9.0.4.1731 | 3045 |
| 9.1.2.901 | 2326 |
| 8.2.12.1223 | 2019 |
| 9.0.3.1667 | 1846 |
| 8.3.4.1161 | 1517 |
| 8.3.5.1491 | 1405 |
| 9.1.1.607 | 1248 |
| 9.0.4.1821 | 870 |
| 8.3.6.1769 | 798 |
| 8.3.3.1021 | 652 |
| 8.2.5.869 | 636 |
| 8.2.6.977 | 626 |
| 8.2.7.1025 | 613 |
| 9.0.3.1599 | 562 |
| 9.0.2.1421 | 416 |
| 8.3.2.903 | 360 |
| 8.3.1.755 | 300 |
| 9.0.1.571 | 298 |
| 8.2.8.1075 | 279 |
Organizations (Based on Reverse DNS)
| Parent Domain | Count |
|---|---|
| akamaitechnologies.com | 3465 |
| rima-tde.net | 325 |
| expedient.com | 301 |
| comcastbusiness.net | 245 |
| amazonaws.com | 211 |
| virtela.net | 202 |
| hinet.net | 167 |
| rr.com | 129 |
| ucom.ne.jp | 113 |
| belgacom.be | 111 |
| bezeqint.net | 99 |
| vectant.ne.jp | 88 |
| qwest.net | 86 |
| sfr.net | 69 |
| ocn.ne.jp | 68 |
| lightower.net | 67 |
| kpn.net | 65 |
| accenture.com | 51 |
| cox.net | 49 |
| vsnl.net.in | 49 |
On a final note, Organizations should ensure their systems are patched As Soon As Possible.