Reset Search
 

 

Article

SA43667 - 03-2018 Out-of-Cycle Advisory: SAML allow authentication bypass via incorrect XML canonicalization

« Go Back

Information

 
Product AffectedPulse Connect Secure, Pulse Workspace, Pulse One, virtual Traffic Manager (vTM)
Problem
Multiple Pulse Secure products utilizing SAML implementation could allow an attacker with an authenticated access to a SAML Identity Provider (IdP) to bypass authentication for a different user.  The cause is due to an inconsistency of XML DOM traversal APIs and handling of comment nodes.

CVE have been requested and will be updated in the future.

All Pulse Secure products were evaluated and the following products are known to be vulnerable by this issue:
  • All supported versions of Pulse Connect Secure with SAML authentication server configured as Service Provider
  • Pulse WorkSpace with SAML enabled
  • Pulse One with Enterprise (SAML) SSO enabled on the admin login
  • vTM 17.4 (Only) with a virtual server configured for SAML authentication.
For a list of supported software versions, please refer to our EOL policy. All other Pulse Secure products (not listed above) were determined as not vulnerable.
Solution
Update: April 7th, 2018

Pulse Secure has verified a fix and will provide tentative timelines shortly.  Please continue to monitor the following advisory for updates.
Workaround
  • Pulse Connect Secure customers with a multi-factor authentication configured does help mitigate the likelihood of the issue, but recommended to upgrade to a patch release when available
Implementation
Document History:
March 7th, 2018 - Initial document posted
Related Links
CVSS Score
Risk AssessmentPulse Connect Secure - Low
Pulse Workspace - Low
Pulse One - Low
vTM - Medium
Acknowledgements
Alert TypeSA - Security Advisory
Risk LevelMedium
Attachment 1 
Attachment 2 
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255