Reset Search



KB15799 - Pulse Secure recommendations for mitigating VU#261869

« Go Back


Last Modified Date7/31/2015 2:47 AM
An industry wide security issue has been discovered with the way clientless SSL-VPN devices rewrite content
Problem or Goal
The rewriter may break web browser's domain-based security models.
This issue may be limited by constraining the web servers for which the PCS device rewrites content.

On the PCS device, constraining the web servers for content rewriting may be accomplished in any of the following ways:

1. "Web ACL" policies
"Web ACL" policies may be used to allow access through the PCS device to a constrained set of resources. Other sites will not be accessible through the PCS device.

2. "Selective Rewriting" policies
Enumerate the company-owned resources that are to be rewritten in "Selective Rewriting" policies.  All other resources will not be rewritten; the browser will access other content directly, maintaining isolation  between company-owned resources and the Internet.

Note: If "Selective Rewriting" policies are not visible in the administrator UI, use the "Customize" button on a resource policy page to enable display of "Selective Rewriting" policies.

3. Use other access methods
The JSAM, WSAM, and Network Connect access methods are not vulnerable to the exploits described in VU#261869.  For users that use these access methods, the content rewriter may be completely disabled by turning off the "Web" role option on all roles used by such users.

4. Use "Passthrough Proxy" policies
Enumerate the company-owned servers that are to be accessed through the PCS device. For each server, do the following:
  • Create a "Passthrough Proxy" policy. Choose the "Use virtual hostname" option and DO NOT check "Rewrite XML" or "Rewrite external links".
  • Configure the external-facing DNS resolution to resolve the server hostname to an IP address on the SSL-VPN device

When "Passthrough Proxy" is configured in this way, isolation is maintained between company-owned servers and Internet servers.

5. Disable roaming session
Disabling of roaming session may be used to prevent stolen cookies from being used to completely hijack a user's session.

To disable roaming session, configure each user role under "Session Options".  Choose "Disabled (maximize security)" in the "Roaming session" section.

Note: Even with roaming session disabled, an attacker may be able to exploit the vulnerability through the user's browser.
Related Links
Attachment 1 
Created ByData Deployment



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255