Reset Search
 

 

Article

SA40196 - [Pulse Secure] Badlock security advisory (CVE-2016-2118)

« Go Back

Information

 
Product AffectedPulse Connect Secure and Pulse Policy Secure
Problem
The Samba team has released (8) new security advisories. The issue known as "Badlock" was included in this new group of issues.

CVE-2016-2118 SAMR and LSA man in the middle attacks possible
Pulse Connect Secure: Vulnerable:
Resolved in 8.2R5
Resolved in 8.1R10

Pulse Policy Secure: Vulnerable:
Resolved in 5.3R5
Resolved in 5.2R8 (Tentative for October)

CVE-2015-5370 Multiple errors in DCE-RPC code
Pulse Connect Secure: Vulnerable:
Resolved in 8.2R5
Resolved in 8.1R10

Pulse Policy Secure: Vulnerable:
Resolved in 5.3R5
Resolved in 5.2R8 (Tentative for October)

CVE-2016-2110 Man in the middle attacks possible with NTLMSSP
Pulse Connect Secure: Vulnerable:
Resolved in 8.2R5
Resolved in 8.1R10

Pulse Policy Secure: Vulnerable:
Resolved in 5.3R5
Resolved in 5.2R8 (Tentative for October)

CVE-2016-2113 Missing TLS certificate validation
Pulse Connect Secure: Vulnerable:
Resolved in 8.2R5
Resolved in 8.1R10

Pulse Policy Secure: Vulnerable:
Resolved in 5.3R5
Resolved in 5.2R8 (Tentative for October)

Pulse Connect Secure / Pulse Policy Secure are not vulnerable to the following issues:
CVE-2016-2111 NETLOGON Spoofing Vulnerability
CVE-2016-2112 LDAP client and server don't enforce integrity
CVE-2016-2114 "server signing = mandatory" not enforced
CVE-2016-2114 "server signing = mandatory" not enforced
CVE-2016-2115 SMB IPC traffic is not integrity protected
 
Solution
This advisory will be updated as more information is made.

Pulse Secure is currently working to resolve these new issues.

Document History:
April 12th, 2016 -- Initial posting
May 5th, 2016 -- Added findings
July 1st, 2016 -- Provided ETA release dates
August 2nd, 2016 -- Updated ETA release dates, Added PPS release versions and release dates, minor format changes
Workaround
Implementation
Related Links
CVSS Score
Risk Assessment
Acknowledgements
Alert TypeSA - Security Advisory
Risk Level 
Attachment 1 
Attachment 2 
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255