Reset Search
 

 

Article

JSA10413 - Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS) products - Security Bundle - Authentication & Authorization Issue

« Go Back

Information

 
Product AffectedPCS: SA 500, SA 700, SA 1000, SA 2000, SA 2500, SA 3000, SA 4000, SA 4500, SA 5000, SA 6000, SA 6500
PPS: IC4000, IC4500, IC6000, IC6500 SA 3000 FIPS, SA 5000 FIPS, SA 4000 FIPS, SA 6000 FIPS, SA 4500 FIPS, SA 6500 FIPS
Problem
Authentication & Authorization vulnerability found and fixed through a combination of internal and external proactive security testing:
- When using NTLMv1 or NTLMv2 authentication protocols for Active Directory based authentication it is possible to bypass the authentication step of the login flow. Note: This vulnerability exists only in AD/NT mode authentication servers and not in LDAP mode.
Solution
Upgrade is recommended to the following or later releases:
- PCS: 6.0R12; 6.1R8; 6.2R6; 6.3R5; 6.4R2; 6.5R1
- PPS: 3.0R2
 
Workaround
1. Select only the "Kerberos" option as the authentication protocol within Active Directory authentication server configuration on the PCS or PPS. A restart of services will be required for this config change to take effect.

(OR)

2. Use strong authorization rules (role mapping rules) to reduce the impact/risk of this vulnerability; as this vulnerability can be exploited to bypass only the authentication step of the login flow (the authorization process will still be executed and may successfully restrict access to any resources) Some examples of strong authorization rules include role mapping based on group membership or role mapping based on specific attributes.

Software upgrades recommended in this Security Advisory are synchronized with the recommendations in other bulletins (JSA10414 and JSA10415). This enables customers to upgrade once and have all issues resolved with the upgrade.
Implementation
Related Links
Patched Software Release Service Packages are available at Pulse Secure Licensing and Download Center: https://my.pulsesecure.net. Documentation links to the relevant software’s are also available at Pulse Secure Licensing and Download Center.
CVSS Score
Risk AssessmentIf Active Directory based authentication is being used as the authentication mechanism on an PCS or PPS that is running an affected release, then in a specific scenario an unauthorized user may be able to bypass the authentication step of the login flow and gain access to backend resources.
Acknowledgements
Alert TypePSN - Product Support Notification
Risk LevelHigh
Attachment 1 
Attachment 2 
Legacy IDPSN-2009-10-538, JSA10413

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255