// For flags

CVE-2018-20193

Juniper Secure Access SSL VPN Privilege Escalation

Severity Score

8.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Certain Secure Access SA Series SSL VPN products (originally developed by Juniper Networks but now sold and supported by Pulse Secure, LLC) allow privilege escalation, as demonstrated by Secure Access SSL VPN SA-4000 5.1R5 (build 9627) 4.2 Release (build 7631). This occurs because appropriate controls are not performed. Specifically, it is possible for a readonly user to change the administrator user password by making a local copy of the /dana-admin/user/update.cgi page, changing the "user" value, and saving the changes.

Ciertos productos SSL VPN Secure Access, de la serie SA (desarrollados originariamente por Juniper Networks, pero vendidos y soportados actualmente por Pulse Secure, LLC), permiten el escalado de privilegios, tal y como queda demostrado con Secure Access SSL VPN SA-4000 5.1R5 (build 9627) 4.2 Release (build 7631). Esto ocurre debido a que no se realizan los controles apropiados. Específicamente, es posible que un usuario "readonly" o con permisos de solo lectura cambie la contraseña de usuario de un administrador haciendo una copia local de la página /dana-admin/user/update.cgi, cambiando el valor "user" y guardando los cambios.

Certain Secure Access SA Series SSL VPN products (originally developed by Juniper Networks but now sold and supported by Pulse Secure, LLC) allow privilege escalation, as demonstrated by Secure Access SSL VPN SA-4000 5.1R5 (build 9627) 4.2 Release (build 7631). This occurs because appropriate controls are not performed.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-12-17 CVE Reserved
  • 2018-12-21 CVE Published
  • 2024-05-13 EPSS Updated
  • 2024-08-05 CVE Updated
  • 2024-08-05 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-269: Improper Privilege Management
CAPEC
References (2)
URL Tag Source
http://www.securityfocus.com/bid/106289 Third Party Advisory
URL Date SRC
http://seclists.org/fulldisclosure/2018/Dec/37 2024-08-05
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Pulsesecure
Search vendor "Pulsesecure"
 Secure Access Series Ssl Vpn Sa-4000
Search vendor "Pulsesecure" for product "Secure Access Series Ssl Vpn Sa-4000"
 4.2
Search vendor "Pulsesecure" for product "Secure Access Series Ssl Vpn Sa-4000" and version "4.2"
-
Affected
Pulsesecure
Search vendor "Pulsesecure"
 Secure Access Series Ssl Vpn Sa-4000
Search vendor "Pulsesecure" for product "Secure Access Series Ssl Vpn Sa-4000"
 5.1r5
Search vendor "Pulsesecure" for product "Secure Access Series Ssl Vpn Sa-4000" and version "5.1r5"
-
Affected