Recently an unauthenticated arbitrary file read vulnerability was discovered in Pulse Secure “Pulse Connect Secure” VPN servers. The vulnerability allows an unauthenticated remote attacker to send a specially crafted URI to read an arbitrary file. The vulnerability affects the following versions:

• 8.1R15.1, 8.2 before 8.2R12.1
• 8.3 before 8.3R7.1
• and 9.0 before 9.0R3.4

 

Exploits targeting this vulnerability were posted online a few days ago and researchers at F5 Networks have already detected threat campaigns targeting this vulnerability.

 

Mitigation with BIG-IP ASM

ASM customers under any supported BIG-IP version are already protected against this vulnerability.

 

While exploiting this vulnerability, an attacker will try to send a malicious HTTP GET request containing a path to the file that the attacker wants to read.

Figure 1 Request example containing the exploitation attempt

 

The exploitation attempt will be detected by many existing signatures to detect “Path traversal”, “Detection Evasion”, and “Predictable Resource Location”.

 

Figure 2 Exploit blocked with Attack Signature (200003056)

 

Figure 3 Exploit blocked with Attack Signature (200101550)

 

Figure 4 Exploit blocked by Directory Traversal evasion technique