Reset Search
 

 

Article

JSA10512 - 2012-06 Security Bulletin: Pulse Connect Secure (PCS): Open redirect issue

« Go Back

Information

 
Product AffectedSA 700, SA 2000, SA 2500, SA 4000, SA 4500, SA 6000, SA 6500, SA 4000 FIPS, SA 6000 FIPS, SA 4500 FIPS, SA 6500 FIPS, MAG2600, MAG4610, MAG-SM160, MAG-SM360
Problem
A open redirect issue has been found in the Pulse Connect Secure (PCS) product. The issue is caused by incorrect validation of user input sent to the PCS web server. The issue exists in the landing page which is displayed to the user after the user has logged into the PCS.

 

No other Pulse Secure products or platforms are vulnerable to this issue.

Solution
The issue is fixed in PCS releases 7.1R8, 7.2R1, and all subsequent releases.

 

 

 

 

Workaround

There is no viable workaround for this issue.

Implementation
Related Links
Patched Software Release Service Packages are available at Pulse Secure Licensing and Download Center: https://my.pulsesecure.net. Documentation links to the relevant software’s are also available at Pulse Secure Licensing and Download Center.
CVSS Score5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Risk AssessmentAn "open redirect" could allow an attacker to create a URL that looks like a trusted link to the PCS but instead redirects the user to a website of the attackers choice. For the exploit to succeed, the user must already be logged in to the PCS server, and the attacker would need to create some sort of interaction with the user to cause the user to click on the malicious link.

Information for how Pulse Secure uses CVSS can be found at KB16446 "Common Vulnerability Scoring System (CVSS) and Pulse Secure's Security Advisories."
Acknowledgements
Alert TypePSN - Product Support Notification
Risk LevelMedium
Attachment 1 
Attachment 2 
Legacy IDPSN-2012-06-610, JSA10512

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255