Multiple vulnerabilities in Pulse Connect Secure

Published: 2019-06-28 | Updated: 2020-08-08

Risk	High
Patch available	YES
Number of vulnerabilities	3
CVE-ID	CVE-2018-20809 CVE-2018-20810 CVE-2018-20814
CWE-ID	CWE-20 CWE-326 CWE-79
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Pulse Connect Secure Server applications / Remote access servers, VPN Pulse Policy Secure Server applications / Remote access servers, VPN
Vendor	Pulse Secure

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU35774

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2018-20809

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

A crafted message can cause the web server to crash with Pulse Secure Pulse Connect Secure (PCS) 8.3RX before 8.3R5 and Pulse Policy Secure 5.4RX before 5.4R5. This is not applicable to PCS 8.1RX.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pulse Connect Secure: 8.3 - 8.3

Pulse Policy Secure: 4.4 - 8.3

CPE2.3

cpe:2.3:a:pulse_secure:pulse_connect_secure:8.3:*:*:*:*:*:*:*

External links

http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43877/

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Inadequate Encryption Strength

EUVDB-ID: #VU35775

Risk: High

CVSSv3.1:

CVE-ID: CVE-2018-20810

CWE-ID: CWE-326 - Inadequate Encryption Strength

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Session data between cluster nodes during cluster synchronization is not properly encrypted in Pulse Secure Pulse Connect Secure (PCS) 8.3RX before 8.3R2 and Pulse Policy Secure (PPS) 5.4RX before 5.4R2. This is not applicable to PCS 8.1RX, PPS 5.2RX, or stand-alone devices.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pulse Connect Secure: 8.3 - 8.3

Pulse Policy Secure: 5.4 - 8.3

CPE2.3

cpe:2.3:a:pulse_secure:pulse_connect_secure:8.3:*:*:*:*:*:*:*

External links

http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43877/

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

3) Cross-site scripting

EUVDB-ID: #VU35779

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2018-20814

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

An XSS issue was found with Psaldownload.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.3R2 before 8.3R2 and Pulse Policy Secure (PPS) 5.4RX before 5.4R2. This is not applicable to PCS 8.1RX or PPS 5.2RX.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pulse Connect Secure: 8.3 - 8.3

Pulse Policy Secure: 5.4 - 8.3

CPE2.3

cpe:2.3:a:pulse_secure:pulse_connect_secure:8.3:*:*:*:*:*:*:*

External links

http://www.securityfocus.com/bid/109033
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43877/

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?