Reset Search



JSA10336 - Pulse Connect Secure (PCS) vulnerable to brute-force password attack

« Go Back


Product Affected
If the PCS device is configured with an LDAP or NT Domain authentication server, it is possible for an attacker to mount a password-guessing attack against a known user account in that authentication server. This vulnerability exists in IVE software versions 3.3 and later. PCS products using other types of authentication servers (such as RADIUS) are not vulnerable.

The Password Management feature was added in the IVE 3.3 software release, permitting end-users to change their passwords when they were about to expire. This capability is available to unauthenticated users. An attacker could try to repeatedly change a user’s password. No limit is imposed on the number of attempts.

The login process is protected by a throttling mechanism that will lock out a particular source IP address after too many unsuccessful login attempts have occurred, so a similar attack is not feasible when logging in.

Pulse Secure would like to thank GoSecure for bringing this issue to its attention. The issue was found by Jian Hui Wang.
Software versions 4.1R1 and 4.1.1 include the same throttling mechanism as the login process, making it impossible for an attacker to perform a brute-force attack.
Related Links
CVSS Score
Risk AssessmentCustomers may be exposed to a password brute-force attack. Typical methods of assigning usernames coupled with users' tendencies to use weak passwords make it feasible for an attacker to gain remote access into a corporate network.
Alert TypePSN - Product Support Notification
Risk LevelMedium
Attachment 1 
Attachment 2 
Legacy IDPSN-2004-08-025, JSA10336



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255