Reset Search
 

 

Article

JSA10361 - Pulse Connect Secure (PCS) ActiveX client vulnerability

« Go Back

Information

 
Product AffectedAll Pulse Connect Secure (PCS) versions older than those listed in below "Recommended Actions" section.
Problem

Summary:
A malicious web site could trick an PCS users to click a link exploiting a vulnerability present in the ActiveX component of the PCS client software

Details:
When using Internet Explorer to access the PCS device, an ActiveX control is automatically downloaded to perform various tasks. This ActiveX control could be invoked in a web page on a malicious website by using the standard HTML "object" notation. The "object" tag contains the control to be loaded (in this case the PCS ActiveX) and provides a list of parameters and values that get passed.

A stack overflow currently exists in the way the PCS ActiveX control parses those parameters which could lead to remote code execution in the context of Internet Explorer.

Acknowledgement:
Pulse Secure extends a special thank you to Eeye for reporting and working to resolve this issue with our engineering teams.

Disclaimer:
Pulse Secure is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. Pulse Secure expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. Pulse Secure may change this notice at any time.
 
Solution

Recommended Actions:
Upgrade the PCS software to any of the following patched versions:
  • 5.3R2.1
  • 5.2R4.1
  • 5.1R8
  • 5.0R6.1
  • 4.2R8.1
Workaround
Implementation
Related Links
CVSS Score
Risk AssessmentPotential exploitation of a vulnerability in SSL Client
Acknowledgements
Alert TypePSN - Product Support Notification
Risk LevelHigh
Attachment 1 
Attachment 2 
Legacy IDPSN-2006-03-013, JSA10361

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255