RCE in Pulse Connect Secure (CVE-2020-8218)

Eugene Tkachenko
Latest posts by Eugene Tkachenko (see all)
WRITTEN BY
Eugene Tkachenko
[post-views]
August 31, 2020 · 2 min read

Today, we would like to warn you about a recently discovered vulnerability that allows remote code execution in Pulse Connect Secure application version<9.1R8. As it was mentioned in the research, the CVE-2020-8218 allows a fraudster to run arbitrary code remotely of the Pulse Connector VPN in its pre-last version available.

CVE-2020-8218 Vulnerability in Pulse Connect Secure

The CVE-2020-8218 is one of four recently found vulnerabilities in Pulse Secure. There is already a patched version of the Pulse Connect application however we keep informing the community about the possible consequences of using an unpatched application.

Though a successful vulnerability exploitation requires admin privileges, the easiest way of administrative rights defraud is to deliver a link with a malicious URL in an email and lure admin to clicking on it. VPNs have become particularly important and topical during the lockdown enabling companies to encrypt the corporate communications as well as authenticate users.

Pulse Secure has added lots of security hardening measurements into their application, however, the researchers successfully sent the payload to the compromised machine and achieved remote code execution. While the authentication was actually achieved through a link delivered by a phishing attack, the CVE-2020-8218 vulnerability should not be ignored.

CVE-2020-8218 Detection

Emir Erdogan, an active member of SOC Prime Threat Bounty Developer program, created a community Sigma rule to detect CVE-2020-8218 remote code execution in Pulse Connect Secure: https://tdm.socprime.com/tdm/info/7aBSXpYn0TQA/vGF-NHQBPeJ4_8xcMkVs/?p=1

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Initial Access

Techniques: Exploit Public-Facing Application (T1190)

 

Ready to try out SOC Prime Threat Detection Marketplace? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.
Join for Free Book a Meeting

Related Posts

This site uses cookies and other tracking technologies to assist with navigation and your ability to provide feedback, analyse your use of our products and services, assist with our promotional and marketing efforts, and provide content from third parties. Cookie Policy. Details

Refuse Cookies Accept Cookies

You previously chose to disable cookies. This site uses cookies and other tracking technologies to assist with navigation and your ability to provide feedback, analyse your use of our products and services, assist with our promotional and marketing efforts, and provide content from third parties. Cookie Policy. Details

Details Accept Cookies