Reset Search
 

 

Article

SA40005 - Details on fixes for OpenSSL "Heartbleed" issue (CVE-2014-0160)

« Go Back

Information

 
Product Affected
Problem
This article provides detailed information related to the fixes for OpenSSL "Heartbleed" issue (CVE-2014-0160) for PCS/PPS products.

The following PCS versions are vulnerable to the OpenSSL vulnerability CVE-2014-016:


Server-side:
  • PCS Software versions 7.4R1 to 7.4R9. 
  • PCS Software versions 8.0R1 to 8.0R3.
Client-Side:
  • Pulse Secure Desktop version 5.0R1 to 5.0R3.
  • Pulse Secure Desktop version 4.0R5 to 4.0R9.1.
  • Network Connect (windows only) version 7.4R5 to 7.4R9.1 and 8.0R1 to 8.0R3.1. This client component is impacted only if used in FIPS mode. Non-FIPS version of Network Connect clients are not impacted.
  • Pulse Secure Mobile for Android version 4.2R1 to 5.0R3
  • Pulse Secure Mobile for iOS version 4.2R1 to 5.0R2. This client component is impacted only if used in FIPS mode.
  • Windows In-Box Pulse Secure client on Windows 8.1

For details on client-side exposure refer FAQ # 1 (Exposure due to impacted client-side Components) in the FAQ section below.
Solution
Last Update: 8.00 a.m. May 6th 2014 Pacific Daylight Savings.

Refer 'Section A' if currently on ANY release version other than 7.4R9.1, 7.4R9.2 or 8.0R3.1
Refer 'Section B' if currently on 7.4R9.1 or 8.0R3.1
Refer 'Section C' if currently on 7.4R9.2

Section A - Applies if upgrading from ANY release other than 7.4R9.1, 7.4R9.2 or 8.0R3.1

Pulse Secure has released the following versions of software to resolve this issue on the server side and client side for its PCS product family. The fixed build includes OpenSSL libraries with disabled heartbeat extension options (using the openssl option -DOPENSSL_NO_HEARTBEATS)
  1. PCS software version 8.0R3.2 and 7.4R9.3
  2. Pulse Secure desktop clients versions 5.0R3.1 and 4.0R9.2 (previously released Pulse Desktop 4.0R9.1 client is vulnerable and should no longer be used)
  3. Pulse Secure Mobile for Android version 5.0R3 (44997) is available for download from Google Play Store.
  4. Pulse Secure Mobile for Android (Samsung Variant) version 5.0R3 (44997) is available for download from Google Play Store.
  5. Pulse Secure Mobile for Apple iOS version 5.0.3.44999 is available for download from Apple App Store.
  6. Fix for Windows In-Box Pulse Secure client for Windows 8.1 is available now by Microsoft KB2962140 or KB2964757

-----End of Section A-----

Section B - Applies ONLY if upgrading from 7.4R9.1 or 8.0R3.1 versions

If customers previously upgraded to 7.4R9.1 or 8.0R3.1 then the issue is resolved on server side (PCS gateway device) as these release versions include openssl libraries with disabled heartbeat extension option (using the openssl option -DOPENSSL_NO_HEARTBEATS). However there may be some exposure to client components. For details on the exposure refer FAQ 1 (Exposure due to impacted client-side Components) in the FAQ section below. To resolve outstanding issues with client-side components, use the options listed below:
  1. For Pulse Secure Desktop clients: Upgrade Pulse Secure clients to versions 5.0R3.1 or 4.0R9.2 using your chosen method of Pulse Secure deployment (through Web browser when users signs-in to their SSL VPN session or through software distribution infrastructure). If you previously used Pulse Secure Version 4.0R9.1 - upgrade to Pulse Secure 4.0R9.2.
  2. For FIPS mode of Network Connect (windows Only) client: Upgrade your PCS device to software version 8.0R3.2 or 7.4R9.3. This is because Network Connect client is tied to the server version and you have to upgrade the server to upgrade the clients.
  3. Pulse Secure Mobile for Android version 5.0R3 (44997) is available for download from Google Play Store.
  4. Pulse Secure Mobile for Android (Samsung Variant) version 5.0R3 (44997) is available for download from Google Play Store.
  5. Pulse Secure Mobile for Apple iOS version 5.0.3.44999 is available for download from Apple App Store.
  6. Fix for Windows In-Box Pulse Secure client for Windows 8.1 is available now by Microsoft KB2962140 or KB2964757.
  7. If you are not impacted by the scenarios described under FAQ # 1 (Exposure due to impacted client-side Components) then 7.4R9.1 and 8.0R3.1 will resolve the issue and you do not have to upgrade (neither the Server nor Client versions)
-----End of Section B----

Section C - Applies ONLY if upgrading from 7.4R9.2 

If customers previously upgraded to 7.4R9.2 then the issue is resolved on server side (PCS gateway device) as these release versions include openssl libraries with disabled heartbeat extension option (using the openssl option -DOPENSSL_NO_HEARTBEATS). However there may be some exposure to Pulse Secure Desktops clients as described under FAQ # 1 (Exposure due to impacted client-side Components). To resolve outstanding issues with client-side components, use the options listed below:
  1. For Pulse Secure Desktop clients: Upgrade Pulse Secure clients to versions 5.0R3.1 or 4.0R9.2 using your chosen method of Pulse Secure deployment (through Web browser when user signs-in to their PCS session or through software distribution infrastructure). If you previously used Pulse Secure Client Version 4.0R9.1, upgrade to Pulse Secure Client 4.0R9.2.
  2. For FIPS mode of Network Connect (windows Only) client: N/A. This client is already fixed in 7.4R9.2.
  3. Pulse Secure Mobile for Android version 5.0R3 (44997) is available for download from Google Play Store.
  4. Pulse Secure Mobile for Android (Samsung Variant) version 5.0R3 (44997) is available for download from Google Play Store.
  5. Pulse Secure Mobile for Apple iOS version 5.0.3.44999 is available for download from the Apple App Store.
  6. Fix for Windows In-Box Pulse Secure client for Windows 8.1 is available now by Microsoft KB2962140 or KB2964757
  7. If you are not impacted by the scenarios described under FAQ # 1 (Exposure due to impacted client-side Components) then 7.4R9.2 will resolve the issue and you do not have to upgrade (neither the Server nor Client versions)

Note: 7.4R9.3 was recently released to provide a single 7.4R9 build which contains all fixes for both server and client components.

-----End of Section C----

FAQ Section:

FAQ 1: Exposure due to impacted client-side Components. 
PCS clients components listed under 'Client-side' in the problem section above contain a version of impacted OpenSSL library which is used by the PCS client components to communicate to the sever over https. As long as the client connects to a patched version of server there should be no exposure to this vulnerability due to the Pulse Secure Client Component; neither to the client nor to the server. However if the client connects to a rogue server that is capable of exploiting this vulnerability then the client device may be exposed to this memory buffer over-read issue.

FAQ 2: Are all client Components impacted?
No. Only the client components listed under 'client-side' section in the problem section are affected.

FAQ 3: Should I replace the private keys on the SSL VPN gateway device?
Since the vulnerability may allow attackers to read from the process memory it is possible to obtain sensitive information such as private keys and user's personal information. Pulse Secure recommends that customers generate new device certificates to replace the existing ones.  This will effectively replace the private key that may have been compromised.  For step by step instructions on completing this task refer to KB29002 - [System Management] Creating and Installing a New or Replacement Device Certificate

Inline with PKI best practices it is recommended that customers revoke the impacted certificate.

FAQ 4: Should I change my user and administrator passwords?
Since the vulnerability may allow attackers to read from the process memory it is possible to obtain sensitive information such as passwords. Pulse Secure recommends that customers change any password that might have been compromised. This includes user passwords and administrator passwords on the PCS device and backend resources.

FAQ 5: Should I delete all my active sessions after upgrade?
Yes. A software upgrade preserves user sessions even after an upgrade. Pulse Secure recommends that customers use the 'Delete Sessions' option after an upgrade and delete all sessions. This option is available in the Admin GUI System menu by selecting Status > Active Users. All users and administrators will have to login again. This will generate a new session ID and also invalidate the previous session ID in the event that it was compromised.

FAQ 6: If customers previously upgraded to 7.4R9.1, 7.4R9.2 or 8.0R3.1 do they have to upgrade again to 7.4R9.3 or 8.0R3.2?
The subsequent releases are required ONLY if customers determine that they are impacted. For details refer to FAQ 1 and the affected client-side list in the 'problem' section above

FAQ 7: If a customer has not yet upgraded to any patched release which release versions should they upgrade to?
 If the gateway devices are not yet upgraded then use 7.4R9.3 or 8.0R3.2 as described in detail under Section A above.

FAQ 8: What are the openssl versions used in vulnerable server and clients components?
Server-Side:
PCS software versions 7.4R1 and 7.4R2 uses openssl version 1.0.1c and 7.4R3 and above uses openssl version 1.0.1e.
PCS software versions 8.0R1 to 8.0R3 uses openssl version 1.0.1e

Client-Side:
Pulse Secure (Desktop) version 5.0R1 to 5.0R3 uses openssl version 1.0.1e
Pulse Secure (Desktop) 4.0R5 to 4.0R9.1 uses openssl version 1.0.1e

FAQ 9: The image below is a table of vulnerable components and Patches released. It is a snapshot of information provided in Section A, B and C

Table of Vulnerable Components and Patches Released


 
Workaround
Implementation
Related Links
CVSS Score9.4 (AV:N/AC:L/Au:N/C:C/I:C/A:N)
Risk Assessment
Acknowledgements
Alert TypePSN - Product Support Notification
Risk LevelCritical
Attachment 1 
Attachment 2 
Legacy IDJSA10623

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255