Reset Search
 

 

Article

SA40971 - Pulse One On-Premise Remote Information Disclosure Vulnerability

« Go Back

Information

 
Product AffectedPulse One On-Premise (software version 2.0.1649 only)
Problem
Pulse One On-Premise software version 2.0.1649 does not properly validate requests which allows remote users to query and obtain sensitive information. This issue is exploitable only for Pulse One On-Premise (runs only on PSA7000 devices). For more information about Pulse One On-Premise, please refer to KB40560 - Pulse One On-Premise Frequently Asked Questions (FAQ).


PSIRT is not aware of any malicious exploitation of this vulnerability. This issue was found during proactive internal security audits.

This issue was assigned CVE-2017-14935.

All other Pulse Secure products are not vulnerable to this issue:
  • Pulse Connect Secure
  • Pulse Policy Secure
  • All Pulse clients (Network Connect, Pulse Secure Desktop, Secure Application Manager, etc)
  • Pulse Workspace
  • Pulse One cloud solution (hosted by Pulse Secure)
  • Pulse Secure vADC
  • Virtual Appliances (VA-DTE & VA-SPE)
Solution
This issue is resolved in Pulse One On-Premise 2.0.1723 and is available to download at Pulse Secure Licensing and Download Center.

 
Workaround
If an upgrade is not possible, place the Pulse One On-Premise behind an firewall  and enforce the following traffic policies:

Cluster External IP address & External Ports (node-specific):

  • Allow inbound / outbound TCP port 80 and 443
  • Allow inbound / outbound UDP traffic for configured DNS servers

Optional (if service is configured and traffic is sent through firewall)

  • Allow inbound / outbound traffic TCP 514 to syslog server 
  • ​Allow inbound / outbound traffic TCP / UDP 123 to NTP server
  • Allow inbound / outbound traffic TCP 2049 to NFS server
  • Allow inbound / outbound traffic TCP 25 to SMTP server


Cluster Internal IP address & Internal port (node-specific):

  • Allow only inbound / outbound TCP and UDP traffic for other cluster node

Note: Cluster internal IP and internal port are only used for communication between each node in the cluster (including cluster communication).  All other traffic should not be allowed.
Implementation
Related Links
CVSS Score9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Risk Assessment
Acknowledgements
Alert TypeSA - Security Advisory
Risk LevelCritical
Attachment 1 
Attachment 2 
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255