RCE in Pulse Connect Secure (CVE-2020-8218)

Today, we would like to warn you about a recently discovered vulnerability that allows remote code execution in Pulse Connect Secure application version<9.1R8. As it was mentioned in the research, the CVE-2020-8218 allows a fraudster to run arbitrary code remotely of the Pulse Connector VPN in its pre-last version available.

CVE-2020-8218 Vulnerability in Pulse Connect Secure

The CVE-2020-8218 is one of four recently found vulnerabilities in Pulse Secure. There is already a patched version of the Pulse Connect application however we keep informing the community about the possible consequences of using an unpatched application.

Though a successful vulnerability exploitation requires admin privileges, the easiest way of administrative rights defraud is to deliver a link with a malicious URL in an email and lure admin to clicking on it. VPNs have become particularly important and topical during the lockdown enabling companies to encrypt the corporate communications as well as authenticate users.

Pulse Secure has added lots of security hardening measurements into their application, however, the researchers successfully sent the payload to the compromised machine and achieved remote code execution. While the authentication was actually achieved through a link delivered by a phishing attack, the CVE-2020-8218 vulnerability should not be ignored.

CVE-2020-8218 Detection

Emir Erdogan, an active member of SOC Prime Threat Bounty Developer program, created a community Sigma rule to detect CVE-2020-8218 remote code execution in Pulse Connect Secure: https://tdm.socprime.com/tdm/info/7aBSXpYn0TQA/vGF-NHQBPeJ4_8xcMkVs/?p=1

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Initial Access

Techniques: Exploit Public-Facing Application (T1190)

 

Ready to try out SOC Prime Threat Detection Marketplace? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.