CVE-2017-11455 in Pulse Connect Secure
Summary
by MITRE
diag.cgi in Pulse Connect Secure 8.2R1 through 8.2R5, 8.1R1 through 8.1R10 and Pulse Policy Secure 5.3R1 through 5.3R5, 5.2R1 through 5.2R8, and 5.1R1 through 5.1R10 allow remote attackers to hijack the authentication of administrators for requests to start tcpdump, related to the lack of anti-CSRF tokens.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/10/2021
The vulnerability identified as CVE-2017-11455 affects Pulse Connect Secure and Pulse Policy Secure appliances across multiple versions, specifically targeting the diag.cgi web interface component. This issue represents a critical authorization flaw that enables remote attackers to perform administrative actions without proper authentication. The vulnerability stems from the absence of anti-cross-site request forgery (CSRF) tokens in the web interface, creating a pathway for malicious actors to hijack active administrator sessions and execute privileged commands.
The technical flaw manifests in the lack of proper CSRF protection mechanisms within the diag.cgi script, which is responsible for handling diagnostic functions including tcpdump packet capture operations. When administrators interact with the web interface to initiate tcpdump sessions, the system fails to validate that the request originates from an authenticated user session. This absence of CSRF token validation allows attackers to craft malicious requests that appear to originate from legitimate administrative sessions, effectively bypassing the authentication mechanism.
The operational impact of this vulnerability is severe as it provides attackers with the ability to perform administrative functions on affected appliances without requiring valid credentials. Specifically, attackers can initiate tcpdump sessions to capture network traffic, potentially exposing sensitive data passing through the appliance. The vulnerability affects multiple product lines and version ranges, indicating a widespread issue that could impact numerous organizations relying on Pulse Secure appliances for network security. The ability to hijack administrative sessions also opens possibilities for further exploitation including configuration changes, privilege escalation, and potential lateral movement within network environments.
Organizations affected by this vulnerability should implement immediate mitigations including updating to patched versions of the affected software releases, implementing network segmentation to limit access to administrative interfaces, and deploying additional monitoring for suspicious administrative activities. The vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses, and maps to ATT&CK technique T1078.004 for Valid Accounts - Default Accounts, as the attack leverages legitimate administrative sessions. Security teams should also consider implementing web application firewalls to detect and block malicious CSRF requests targeting the diag.cgi endpoint. The vulnerability demonstrates the critical importance of CSRF protection in administrative web interfaces and highlights the need for comprehensive security testing of all web application components that handle privileged operations.