Reset Search



JSA10379 - Security Vulnerability in Pulse Connect Secue (PCS) RADIUS authentication mechanism

« Go Back


Product AffectedAll Pulse Connect Secure platforms running PCS 6.0R1 or higher. Platforms running PCS 5.x or older versions are NOT affected by this vulnerability.
If RADIUSis being used as the authentication mechanism on PCS running an affected release of the OS, then in a specific scenario, an unauthenticated user may be able to get past the authentication step of the PCS login process. This issue was due to a bug in the software which resulted in a RADIUS Access-Request packet being sent to the backend RADIUS server with some fields containing the same values as the previous Access-Request packet which may have caused the RADIUS server to believe that this Access-Request is a duplicate packet. Depending on how the backend RADIUS server is configured to handle this duplicate Access-Request packet the authentication step may or may not succeed on PCS  i.e. only if the backend RADIUS server responds with an Access-Accept packet without validating the credentials will authentication succeed. However if the RADIUS server validates the credentials presented in the (duplicate) Access-Request packet then this vulnerability does not pose any security risk.
Pulse Secure has resolved this issue in PCS version 6.0R5, 6.0R4.3, 6.0R3.2 and 6.1R2.1

Note: All future major/minor PCS releases will contain this fix. This vulnerability is not present in any 5.x or older version of PCS.
Related Links
To access the latest software, please visit
CVSS Score
Risk Assessment
Alert TypePSN - Product Support Notification
Risk LevelHigh
Attachment 1 
Attachment 2 
Legacy IDPSN-2008-05-007, JSA10379



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255