CVE-2020-11582: 
Ivanti Connect Secure vulnerability analysis and mitigation

An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, launches a TCP server that accepts local connections on a random port. This vulnerability, tracked as CVE-2020-11582, allows local HTTP clients to access the server because up to 25 invalid lines are ignored, and because DNS rebinding can occur (NVD, Rapid7).

The vulnerability exists in the Host Checker component, specifically in the tncc.jar applet. When a Host Checker policy is enforced, the applet opens a TCP server using ServerSocket(0) which automatically chooses a port to listen on all interfaces. The selected port is written to ~/.pulse_secure/narport.txt. While the code prevents sending commands from a non-local host, it lacks robust authentication mechanisms and will attempt to parse up to 25 invalid commands before exiting, making it vulnerable to DNS rebinding attacks (LSD Git).

The vulnerability allows local HTTP clients to access the server and potentially execute commands through the setcookie command functionality. This can be particularly dangerous when combined with DNS rebinding attacks, as it could lead to unauthorized access and potential command execution. The server accepts commands like setcookie which can be used in conjunction with other vulnerabilities to escalate attacks (LSD Git).

The vulnerability was addressed in subsequent updates to Pulse Connect Secure. Organizations should ensure they are running the latest version of the software. For systems that cannot be immediately updated, network-level controls to restrict access to the affected ports and monitoring for suspicious DNS rebinding attempts can help mitigate the risk (Rapid7).