This advisory provides information about multiple vulnerabilities resolved in Pulse Connect Secure and Pulse Policy Secure 9.0R1 release. These issues apply to all release prior to PCS and PPS 9.0R1.
Additionally, these issues are resolved in the following releases:
Pulse Connect Secure:
Pulse Policy Secure:
CVSS Score (V3)
The SNMP agent (snmp_agent.c) in net-snmp before 5.4.1 allows remote attackers to cause a denial of service (CPU and memory consumption) via a GETBULK request with a large max-repeaters value.
Pulse Connect Secure 8.1.x before 8.1R14, 8.2.x before 8.2R11, and 8.3.x before 8.3R5 do not properly process nested XML entities, which allows remote attackers to cause a denial of service (memory consumption and memory errors) via a crafted XML document.
A cross site scripting issue has been found in welcome.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.1.x before 8.1R12, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 due to one of the URL parameters not being sanitized properly.
An issue was discovered in the IPv6 protocol specification, related to ICMP Packet Too Big (PTB) messages. (The scope of this CVE is all affected IPv6 implementations from all vendors.) The security implications of IP fragmentation have been discussed at length in [RFC6274] and [RFC7739]. An attacker can leverage the generation of IPv6 atomic fragments to trigger the use of fragmentation in an arbitrary IPv6 flow (in scenarios in which actual fragmentation of packets is not needed) and can subsequently perform any type of fragmentation-based attack against legacy IPv6 nodes that do not implement [RFC6946
Samba client code always requests a forwardable ticket when using Kerberos authentication. This means the target server, which must be in the current or trusted domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to fully impersonate the authenticated user or service
A remote, authenticated, attacker can cause the winbindd process to crash using a legitimate Kerberos ticket due to incorrect handling of the arcfour-hmac-md5 PAC checksum.
A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions.
A cross site scripting issue has been found in new_object.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.1.x before 8.1R13, 8.2.x before 8.2R10, and 8.3.x before 8.3R4 due to one of the URL parameters not being sanitized properly.