Today, we would like to warn you about a recently discovered vulnerability that allows remote code execution in Pulse Connect Secure application version<9.1R8. As it was mentioned in the research, the CVE-2020-8218 allows a fraudster to run arbitrary code remotely of the Pulse Connector VPN in its pre-last version available.
The CVE-2020-8218 is one of four recently found vulnerabilities in Pulse Secure. There is already a patched version of the Pulse Connect application however we keep the possible consequences of using an unpatched application.
Though a successful vulnerability exploitation requires admin privileges, the easiest way of administrative rights defraud is to deliver a link with malicious URL in an email and lure admin to clicking on it. VPNs have become particularly important and topical during the lockdown enabling companies to encrypt the corporate communications as well as authenticate users.
Pulse Secure has added lots of security hardening measurements into their application, however, the researchers successfully sent the payload to the compromised machine and achieved remote code execution. While the authentication was actually achieved through a link delivered by a phishing attack, the vulnerability should not be ignored.
Emir Erdogan, an active member of SOC Prime Threat Bounty Developer program, created a community Sigma rule to detect remote code execution in Pulse Connect Secure: https://tdm.socprime.com/tdm/info/7aBSXpYn0TQA/vGF-NHQBPeJ4_8xcMkVs/?p=1
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio
EDR: Carbon Black, Elastic Endpoint
Tactics: Initial Access
Techniques: Exploit Public-Facing Application (T1190)