Reset Search
 

 

Article

KB45487 - Client-Side Desync Attack Informational Article

« Go Back

Information

 
Last Modified Date9/28/2022 3:02 AM
Synopsis
This article provides information mitigations to address a vulnerability that affects the Pulse Collaboration feature in Pulse Connect Secure version 9.1R15 and below.
Problem or Goal
As described in SA45476 - Client Side Desync Attack (Informational), Portswigger has provided a responsible disclosure of a vulnerability that affects the Pulse Collaboration feature. See https://portswigger.net/research/browser-powered-desync-attacks for details.

 

Pulse Secure was aware of this article, and after an initial evaluation we classified this as a product defect rather than a security issue and treated it as such. After receiving questions from customers we have conducted further investigations and have now changed our position. We have now requested CVE-2022-21826 with CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Score 3.7 (Low).

As the Portswigger article makes clear, it would be extremely complex to exploit this vulnerability in a real world situation.

 
  

 
Cause
Solution
The Pulse Collaboration feature that is the target of this attack is not available in any releases post 9.1R16.
If you are running versions 9.1R15 or lower, the immediate remediation is to upgrade to version 9.1R16 or above.

 
Related Links
Attachment 1 
Created BySean Parker

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255