KB45487 - Client-Side Desync Attack Informational Article

This article provides information mitigations to address a vulnerability that affects the Pulse Collaboration feature in Pulse Connect Secure version 9.1R15 and below.

As described in SA45476 - Client Side Desync Attack (Informational), Portswigger has provided a responsible disclosure of a vulnerability that affects the Pulse Collaboration feature. See https://portswigger.net/research/browser-powered-desync-attacks for details.

 

Pulse Secure was aware of this article, and after an initial evaluation we classified this as a product defect rather than a security issue and treated it as such. After receiving questions from customers we have conducted further investigations and have now changed our position. We have now requested CVE-2022-21826 with CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Score 3.7 (Low).

As the Portswigger article makes clear, it would be extremely complex to exploit this vulnerability in a real world situation.

 
  

 

The Pulse Collaboration feature that is the target of this attack is not available in any releases post 9.1R16.
If you are running versions 9.1R15 or lower, the immediate remediation is to upgrade to version 9.1R16 or above.