Pulse Secure VPN Endpoints

Pulse Secure VPN Endpoints

Pulse Secure “Pulse Connect Secure” VPN describes itself as:

a seamless, cost-effective, SSL VPN solution for remote and mobile users from any web-enabled device to corporate resources

So, it's no surprise it is used by Enterprises but also Governments around the world.

On August 22, 2019, our honeypots started detecting mass scanning activity targeting Pulse Secure “Pulse Connect Secure” VPN server endpoints vulnerable to CVE-2019-11510. This vulnerability was addressed by Pulse Secure on 24th April 2019.

In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .

In a summary, it allows unauthenticated attackers to read sensitive information like private keys and user passwords; Having access to those credentials, attackers could then take advantage of CVE-2019-11539, allowing attackers to gain access inside private VPN networks.

Pulse Secure VPN Endpoints

In the last week of August we ran a worldwide scan to understand the versions of the exposed Pulse Secure VPN Endpoints. Based on a simple HTTPS Request on port 443, this is the data gathered:

Query: port:443 AND DSSETUP_CLIENT_VERSION_PULSE

Top 20 Pulse VPN Versions Detected

Version Count
8.3.7.1933 12318
9.0.4.1731 3045
9.1.2.901 2326
8.2.12.1223 2019
9.0.3.1667 1846
8.3.4.1161 1517
8.3.5.1491 1405
9.1.1.607 1248
9.0.4.1821 870
8.3.6.1769 798
8.3.3.1021 652
8.2.5.869 636
8.2.6.977 626
8.2.7.1025 613
9.0.3.1599 562
9.0.2.1421 416
8.3.2.903 360
8.3.1.755 300
9.0.1.571 298
8.2.8.1075 279

Organizations (Based on Reverse DNS)

Parent Domain Count
akamaitechnologies.com 3465
rima-tde.net 325
expedient.com 301
comcastbusiness.net 245
amazonaws.com 211
virtela.net 202
hinet.net 167
rr.com 129
ucom.ne.jp 113
belgacom.be 111
bezeqint.net 99
vectant.ne.jp 88
qwest.net 86
sfr.net 69
ocn.ne.jp 68
lightower.net 67
kpn.net 65
accenture.com 51
cox.net 49
vsnl.net.in 49

On a final note, Organizations should ensure their systems are patched As Soon As Possible.