Reset Search
 

 

Article

SA40312 - September 22 2016 OpenSSL Security Advisory

« Go Back

Information

 
Product Affected
Problem
On September 22, 2016 the OpenSSL project announced a group of new security advisories. These issues affect all supported versions of Pulse Secure products. For a list of supported software versions, please refer to our EOL policy.

The OpenSSL advisory can be found at the following link: https://www.openssl.org/news/changelog.html.
Solution
All Pulse Secure products were evaluated and found not vulnerable to the following CVE's:
  • OCSP Status Request extension unbounded memory growth (CVE-2016-6304)​​
  • Fix Use After Free for large message sizes (CVE-2016-6309)
  • Missing CRL sanity check (CVE-2016-7052)
  • SSL_peek() hang on empty record (CVE-2016-6305)​​
  • Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307)
  • Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308)

Products confirmed not vulnerable:

  • Pulse Workspace
  • Pulse One
  • Pulse Mobile iOS (Non-FIPS)
  • Network Connect (Windows, Non-FIPS)


Affected Products:

Pulse Secure is currently investigating all products below to determine which products may be affected by these vulnerabilities and the impact on all supported software versions. Since the investigation is on-going, we suggest to subscribe to this advisory as this document will be periodically updated with the latest status.




SWEET32 Mitigation (CVE-2016-2183)
 
Pulse Connect SecureResolved in 8.2R6
Resolved in 8.1R11.1
8.0RX is not affected
Pulse Policy SecureResolved in 5.3R6
Resolved in 5.2R9
(Tentative for Q2 2017)
Pulse Desktop client (Windows & MAC OS X)Resolved in 5.2R6
Resolved in 5.1R11
Resolved in 5.0R16
Pulse Mobile (Android)Resolved in 6.2.0
Pulse Mobile (iOS) (FIPS)Resolved in 6.2.0
Network Connect / Pulse (Linux)Resolved in 8.2R6
Resolved in 8.1R11
Resolved in 8.0R16
Network Connect (Mac OS X)Resolved in 8.2R6
Resolved in 8.1R11
Resolved in 8.0R16
Network Connect FIPS (Windows)Resolved in 8.2R6
Resolved in 8.1R11
Resolved in 8.0R16
SBR EnterpriseVulnerable
Odyssey Client (Windows)Vulnerable
**  In 8.1R11.1, 3DES ciphers was moved from "Accept only 168-bit and greater (maximize security)" to "Accept only 128-bit and greater (security and browser compatibility)".  In 8.1R12, 3DES was moved from the HIGH to MEDIUM option under "Custom SSL Cipher Selection".  In 8.2RX / 5.3RX release, granular cipher suites feature was added which allows the administrator to remove DES and 3DES cipher suites from the admin UI and does not require an upgrade to mitigate this issue.


OOB write in MDC2_Update() (CVE-2016-6303)
 
Pulse Connect SecureNot vulnerable
Pulse Policy SecureNot vulnerable
Pulse Desktop client (Windows & MAC OS X)Not vulnerable
Pulse Mobile (Android)Resolved in 6.2.0
Pulse Mobile (iOS) (FIPS)Resolved in 6.2.0
Network Connect / Pulse (Linux)Not vulnerable
Network Connect (Mac OS X)Not vulnerable
Network Connect FIPS (Windows)Not vulnerable
SBR EnterpriseVulnerable
Odyssey Client (Windows)Not vulnerable

Malformed SHA512 ticket DoS (CVE-2016-6302)
 
Pulse Connect SecureNot vulnerable
Pulse Policy SecureNot vulnerable
Pulse Desktop client (Windows & MAC OS X)Resolved in 5.2R6
Resolved in 5.1R11
Resolved in 5.0R16
Pulse Mobile (Android)Resolved in 6.2.0
Pulse Mobile (iOS) (FIPS)Resolved in 6.2.0
Network Connect / Pulse (Linux)Resolved in 8.2R6
Resolved in 8.1R11
Resolved in 8.0R16
Network Connect (Mac OS X)Resolved in 8.2R6
Resolved in 8.1R11
Resolved in 8.0R16
Network Connect FIPS (Windows)Resolved in 8.2R6
Resolved in 8.1R11
Resolved in 8.0R16
SBR EnterpriseVulnerable
Odyssey Client (Windows)Vulnerable

OOB write in BN_bn2dec() (CVE-2016-2182)
 
Pulse Connect SecureResolved in 8.2R6
Resolved in 8.1R11
​8.0RX is not affected
Pulse Policy SecureResolved in 5.3R6
Resolved in 5.2R9
(Tentative for Q2 2017)
Pulse Desktop client (Windows & MAC OS X)Not vulnerable
Pulse Mobile (Android)Resolved in 6.2.0
Pulse Mobile (iOS) (FIPS)Resolved in 6.2.0
Network Connect / Pulse (Linux)Not vulnerable
Network Connect (Mac OS X)Not vulnerable
Network Connect FIPS (Windows)Not vulnerable
SBR EnterpriseNot vulnerable
Odyssey Client (Windows)Vulnerable

OOB read in TS_OBJ_print_bio() (CVE-2016-2180)​
 
Pulse Connect SecureNot vulnerable
Pulse Policy SecureNot vulnerable
Pulse Desktop client (Windows & MAC OS X)Not vulnerable
Pulse Mobile (Android)Resolved in 6.2.0
Pulse Mobile (iOS) (FIPS)Resolved in 6.2.0
Network Connect / Pulse (Linux)Not vulnerable
Network Connect (Mac OS X)Not vulnerable
Network Connect FIPS (Windows)Not vulnerable
SBR EnterpriseVulnerable
Odyssey Client (Windows)Vulnerable

Pointer arithmetic undefined behaviour (CVE-2016-2177)​
 
Pulse Connect SecureNot vulnerable
Pulse Policy SecureNot vulnerable
Pulse Desktop client (Windows & MAC OS X)Resolved in 5.2R6
Resolved in 5.1R11
Resolved in 5.0R16
Pulse Mobile (Android)Resolved in 6.2.0
Pulse Mobile (iOS) (FIPS)Resolved in 6.2.0
Network Connect / Pulse (Linux)Resolved in 8.2R6
Resolved in 8.1R11
Resolved in 8.0R16
Network Connect (Mac OS X)Resolved in 8.2R6
Resolved in 8.1R11
Resolved in 8.0R16
Network Connect FIPS (Windows)Resolved in 8.2R6
Resolved in 8.1R11
Resolved in 8.0R16
SBR EnterpriseVulnerable
Odyssey Client (Windows)Vulnerable

Constant time flag not preserved in DSA signing (CVE-2016-2178)
 
Pulse Connect SecureNot vulnerable
Pulse Policy SecureNot vulnerable
Pulse Desktop client (Windows & MAC OS X)Not vulnerable
Pulse Mobile (Android)Resolved in 6.2.0
Pulse Mobile (iOS) (FIPS)Resolved in 6.2.0
Network Connect / Pulse (Linux)Not vulnerable
Network Connect (Mac OS X)Not vulnerable
Network Connect FIPS (Windows)Not vulnerable
SBR EnterpriseVulnerable
Odyssey Client (Windows)Vulnerable

DTLS buffered message DoS (CVE-2016-2179)
 
Pulse Connect SecureNot vulnerable
Pulse Policy SecureNot vulnerable
Pulse Desktop client (Windows & MAC OS X)Not vulnerable
Pulse Mobile (Android)Resolved in 6.2.0
Pulse Mobile (iOS) (FIPS)Resolved in 6.2.0
Network Connect / Pulse (Linux)Not vulnerable
Network Connect (Mac OS X)Not vulnerable
Network Connect FIPS (Windows)Not vulnerable
SBR EnterpriseNot vulnerable
Odyssey Client (Windows)Not vulnerable

DTLS replay protection DoS (CVE-2016-2181)
 
Pulse Connect SecureNot vulnerable
Pulse Policy SecureNot vulnerable
Pulse Desktop client (Windows & MAC OS X)Not vulnerable
Pulse Mobile (Android)Resolved in 6.2.0
Pulse Mobile (iOS) (FIPS)Resolved in 6.2.0
Network Connect / Pulse (Linux)Not vulnerable
Network Connect (Mac OS X)Not vulnerable
Network Connect FIPS (Windows)Not vulnerable
SBR EnterpriseNot vulnerable
Odyssey Client (Windows)Not vulnerable

Certificate message OOB reads (CVE-2016-6306)
 
Pulse Connect SecureResolved in 8.2R6
Resolved in 8.1R11
​8.0RX is not affected
Pulse Policy SecureResolved in 5.3R6
Resolved in 5.2R9
(Tentative for Q2 2017)
Pulse Desktop client (Windows & MAC OS X)Resolved in 5.2R6
Resolved in 5.1R11
Resolved in 5.0R16
Pulse Mobile (Android)Resolved in 6.2.0
Pulse Mobile (iOS) (FIPS)Resolved in 6.2.0
Network Connect / Pulse (Linux)Resolved in 8.2R6
Resolved in 8.1R11
Resolved in 8.0R16
Network Connect (Mac OS X)Resolved in 8.2R6
Resolved in 8.1R11
Resolved in 8.0R16
Network Connect FIPS (Windows)Resolved in 8.2R6
Resolved in 8.1R11
Resolved in 8.0R16
SBR EnterpriseVulnerable
Odyssey Client (Windows)Vulnerable

Document History:

September 22nd, 2016 - Initial document posted
September 30th, 2016 - Updated various products and statuses
October 3rd, 2016 - Added SBR status for all CVE's, [CVE-2016-6308, CVE-2016-6307,CVE-2016-6305] has been confirmed not vulnerable for all Pulse Secure products
October 8th, 2016 - All products confirmed not vulnerable for CVE-2016-6304 and SBR status update for CVE-2016-6302, CVE-2016-2178, CVE-2016-2177, CVE-2016-2180, CVE-2016-6306
October 18th, 2016 - Updated tentative dates for Pulse Secure Desktop, Network Connect (Mac), Network Connect / Pulse (Linux), Network Connect FIPS (Windows)
October 31, 2016 - Additional mitigation steps provided for 8.1RX and below for CVE-2016-2183
November 10th, 2016 - Added tentative dates for PCS and PPS, 8.0RX for PCS is not affected
January 10th, 2016 - Added fixed release for Pulse Mobile iOS (FIPS) 6.2.0
February 8th, 2017 - Added tentative date for PPS 5.2R9
March 20th, 2017 - Update PCS release to 8.1R11.1 for CVE-2016-2183
Workaround
Implementation
Related Links
CVSS Score
Risk Assessment
Acknowledgements
Alert Type 
Risk Level 
Attachment 1 
Attachment 2 
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255