cancel
Showing results for 
Search instead for 
Did you mean: 
Harsh_Chawla
F5 Employee
F5 Employee

Recently an unauthenticated arbitrary file read vulnerability was discovered in Pulse Secure “Pulse Connect Secure” VPN servers. The vulnerability allows an unauthenticated remote attacker to send a specially crafted URI to read an arbitrary file. The vulnerability affects the following versions:

  • 8.1R15.1, 8.2 before 8.2R12.1
  • 8.3 before 8.3R7.1
  • and 9.0 before 9.0R3.4

 

Exploits targeting this vulnerability were posted online a few days ago and researchers at F5 Networks have already detected threat campaigns targeting this vulnerability.

 

Mitigation with BIG-IP ASM

ASM customers under any supported BIG-IP version are already protected against this vulnerability.

 

While exploiting this vulnerability, an attacker will try to send a malicious HTTP GET request containing a path to the file that the attacker wants to read.

Figure 1 Request example containing the exploitation attempt

 

The exploitation attempt will be detected by many existing signatures to detect “Path traversal”, “Detection Evasion”, and “Predictable Resource Location”.

 

Figure 2 Exploit blocked with Attack Signature (200003056)

 

Figure 3 Exploit blocked with Attack Signature (200101550)

 

Figure 4 Exploit blocked by Directory Traversal evasion technique

Comments
miladmin
Nimbostratus
Nimbostratus

thanks  

Version history
Last update:
‎26-Aug-2019 16:33
Updated by:
Contributors