Reset Search
 

 

Article

JSA10628 - 2014-06 Security Bulletin: Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS): Weak SSL cipher allowed unexpectedly when higher level cipher group is configured (CVE-2014-3812)

« Go Back

Information

 
Product AffectedSA700, SA2500, FIPS SA4000, SA4500, FIPS SA4500, FIPS SA6000, SA6500, FIPS SA6500, MAG2600, MAG4610, MAG6610, MAG6611, IC4000, IC4500, IC6000, IC6500, and FIPS IC6500. The affected software releases includes PCS: 7.4, 8.0, and PPS 4.4 and 5.0.
Problem
A weak cipher issue has been discovered on the Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS) devices. When configuring the device to use a higher level cipher setting, a lower level cipher was unexpectedly enabled in error. While clients should always negotiate the use of the highest available cipher, older clients may have negotiated a lower and therefore less secure cipher.

Pulse Secure SIRT is not aware of any malicious exploitation of this vulnerability.

No other Pulse Secure products or platforms are affected by this issue.

This issue has been assigned CVE-2014-3812
Solution
Software updates to PCS and PPS have been released to resolve this issue. Releases containing the fix include PCS 8.0R1, 7.4R5 and PPS 5.0R1 and 4.4R5 and all subsequent releases.

 
Workaround
There is no workaround for this issue. An upgrade to a fixed version of software is required for the fix.
Implementation
Patched Software Release Service Packages are available at the Pulse Secure Licensing and Download Center: https://my.pulsesecure.net. Documentation links to the relevant software’s are also available at Pulse Secure Licensing and Download Center.

 
Related Links
CVSS ScoreCVSS Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Risk Assessment
Acknowledgements
Alert Type 
Risk LevelMedium
Attachment 1 
Attachment 2 
Legacy IDJSA10628

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255