Recently an unauthenticated arbitrary file read vulnerability was discovered in Pulse Secure “Pulse Connect Secure” VPN servers. The vulnerability allows an unauthenticated remote attacker to send a specially crafted URI to read an arbitrary file. The vulnerability affects the following versions:
8.1R15.1, 8.2 before 8.2R12.1
8.3 before 8.3R7.1
and 9.0 before 9.0R3.4
Exploits targeting this vulnerability were posted online a few days ago and researchers at F5 Networks have already detected threat campaigns targeting this vulnerability.
Mitigation with BIG-IP ASM
ASM customers under any supported BIG-IP version are already protected against this vulnerability.
While exploiting this vulnerability, an attacker will try to send a malicious HTTP GET request containing a path to the file that the attacker wants to read.
Figure 1 Request example containing the exploitation attempt
The exploitation attempt will be detected by many existing signatures to detect “Path traversal”, “Detection Evasion”, and “Predictable Resource Location”.
Figure 2 Exploit blocked with Attack Signature (200003056)
Figure 3 Exploit blocked with Attack Signature (200101550)
Figure 4 Exploit blocked by Directory Traversal evasion technique