Reset Search
 

 

Article

JSA10470 - Pre-authentication CGI script fails to fully validate all parameters

« Go Back

Information

 
Product AffectedThis issue affects all Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS) appliances.
Problem

CGI scripts accessible during pre-authentication may fail to verify the validity of values supplied as parameters. This could lead to the arbitrary fetching of ".exe" files from the device.
Solution

Software updates to PCS and PPS have been released to resolve this issue. Releases containing the fix include PCS 7.0R5.1 released on 2011-03-22 and PCS 7.1R1.1 released on 2011-03-22. PPS releases containing the fix include PPS 3.1R8 released on 2011-03-15, PPS 4.0R5.1 released on 2011-03-22 and PPS 4.1R1.1 released on 2011-03-22.

This issue is being tracked as PR 572277. While this PR is not viewable by customers, it can be used as a reference when discussing the issue with Pulse Secure's Global Customer Service (GCS) support engineers.

 
Workaround

There are no known workarounds for this issue.

Credit:
This issue was reported to Pulse Secure by Travis Ormandy, Google Security Team. Pulse Secure SIRT would like to thank Travis for his research efforts and responsible disclosure.
Implementation
Patched Software Release Service Packages are available at Pulse Secure Licensing and Download Center: https://my.pulsesecure.net. Documentation links to the relevant software’s are also available at Pulse Secure Licensing and Download Center.
Related Links
CVSS Score5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Risk AssessmentInformation for how Pulse Secure uses CVSS can be found at KB16446 "Common Vulnerability Scoring System (CVSS) and Pulse Secure's Security Advisories."
Acknowledgements
Alert TypePSN - Product Support Notification
Risk LevelMedium
Attachment 1 
Attachment 2 
Legacy IDPSN-2011-03-199, JSA10470

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255