If the PCS device is configured with an LDAP or NT Domain authentication server, it is possible for an attacker to mount a password-guessing attack against a known user account in that authentication server. This vulnerability exists in IVE software versions 3.3 and later. PCS products using other types of authentication servers (such as RADIUS) are not vulnerable.
The Password Management feature was added in the IVE 3.3 software release, permitting end-users to change their passwords when they were about to expire. This capability is available to unauthenticated users. An attacker could try to repeatedly change a user’s password. No limit is imposed on the number of attempts.
The login process is protected by a throttling mechanism that will lock out a particular source IP address after too many unsuccessful login attempts have occurred, so a similar attack is not feasible when logging in.
Pulse Secure would like to thank GoSecure for bringing this issue to its attention. The issue was found by Jian Hui Wang.