Reset Search
 

 

Article

SA40007 - 2014-09 Security Bulletin: Pulse Connect Secure (PCS) and Pulse Secure Desktop client: User privilege escalation issue in Installer Service (CVE-2014-3811)

« Go Back

Information

 
Product AffectedPCS700, PCS2000, PCS2500, PCS4000, FIPS, PCS4000, PCS4500, FIPS, PCS4500, PCS6000 FIPS, PCS6000, PCS6500 FIPS, PCS6500, MAG PCS2600, MAG PCS4610. The affected software releases includes IPCS 7.1, 7.4 and Pulse Secure Desktop client 4.0.
Problem
A privilege escalation issue has been found and corrected in the Pulse Secure Installer Service client (Windows platform only) software. This issue could allow a non-administrator user to escalate their access to administrator privileges on an end-user client system that has the Pulse Secure Installer Service installed.

Note: This issue only affects the client side. The PCS (server side) is not affected. Pulse Secure SIRT is not aware of any malicious exploitation of this vulnerability.

This issue has been assigned:  CVE-2014-3811

The following products and versions are vulnerable to the Pulse Secure Installer Service (JIS):
  • Pulse Secure Desktop Client 4.0R5 and below (Windows)
  • Pulse Secure Desktop Client 3.1R8 and below (Windows)
  • Standalone Pulse Secure Installer Service - All versions prior to 7.4 & 7.4R1 to 7.4R5 (Fix is included in 7.4R6 and above)
The following products and versions are not vulnerable:
  • All versions of Pulse Secure Desktop Client for Mac OS X
  • All versions of Pulse Secure Mobile Client for iOS
  • All versions of Pulse Secure Mobile Client for Android
  • Standalone Pulse Secure Installer Service - 8.0R1 and above
Solution

Known Issues

  • When upgrading Installer Service client to 8.0Rx, you will see the previous version and new version listed under 'Installed Programs’ category.  This issue is due to a registry cleanup issue.  
  • When upgrading Installer Service client from 7.1Rx to 8.0Rx, you will be prompted for administrator credentials.

This was fixed in 8.0R7 onwards, the Release Notes (https://www.pulsesecure.net/download/techpubs/current/16) document the fix as:

 PRS-318013, PRS-317942 - JIS: Self upgrade results in UAC prompt for admin credentials

So upgrading from 7.1 or 7.4 to 8.0R7 or later will not encounter the issue described in this article.
 


Q:  What clients are impacted by this vulnerability?
A:  Only Windows machines that are running an affected versions of Pulse Secure Desktop Client or Installer Service client as stated in the Problem or Goal section (above).
 

 


Pulse FAQ

Q:  How do I upgrade Pulse Secure Desktop Client to resolve this vulnerability?
A:  You can distribute the Pulse Secure Desktop Client either by web deployment through the PCS/MAG PCS device or using a software management system to deploy the Pulse Secure Desktop Client MSI file.  For more information deploying the Pulse Secure Desktop Client MSI file, refer to the section 'Installing the Junos Pulse client on Windows Endpoint using a Preconfiguration File' in the relevant Pulse Client Desktop Administration Guide  in the Techpubs section.


Q:  Can I install Pulse Secure Desktop Client​ 5.0R1 and above to resolve this issue?
A: Yes, the vulnerability is fixed in Pulse Secure Desktop Client 5.0R1 and above.

The  Pulse Secure Desktop Client can be downloaded from the Software Download section of the
Pulse Secure Support site.

JIS FAQ

Q:   How do I find the version of Installer Service client running on my machine?
A: Version information will be stated in the versionInfo.ini file in the C:\Program Files\Juniper Networks\Installer Service\

In this example, the version would be 8.0R4. The first two digits major release (8.0). The third digit is the minor release (R4).
DisplayVersion=8.0.4.31475 


Q:  Can the PCS/MAG PCS device auto-upgrade Installer Service client? How do I upgrade Installer Service client?
A: No, Installer Service (either EXE or MSI) must be pushed by a software management system, like SMS/SMC, or a manual process.


Q:  I do not use Installer Service anymore.  Can I uninstall Installer Service to fix the vulnerability instead of upgrading?
A:  Yes.  If you do not use Installer Service anymore, you may uninstall to avoid the vulnerability.

Q:  Do I need to upgrade both Installer Service client and Pulse Secure Desktop client to fix the vulnerability?
A:  If you have both Installer Service client and Pulse Secure Desktop Client installed on your machine, both clients must be upgraded to fix the vulnerability.  If you only have Installer Service client installed, you only need to upgrade the Installer Service client.  If you only have Pulse Secure Desktop Client installed, you only need to upgrade the Pulse Secure Desktop Client.


Q:  Do I need to upgrade the software on the PCS/PCS MAG device?  
A:  No, you do not need to upgrade the software on the PCS/MAG PCS device. This is a client side issue for Installer Service and the Pulse Secure Desktop Client. The solution is to upgrade your clients. For Installer Service, the vulnerability is fixed in JIS 7.4R6 and above.  Installer Service is forward and backward compatible with all PCS software version above 6.5 releases.

Workaround
Implementation
Related Links
CVSS Score
Risk Assessment
Acknowledgements
Alert TypePSN - Product Support Notification
Risk LevelMedium
Attachment 1 
Attachment 2 
Legacy IDJSA10644

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255