Reset Search
 

 
Article

SA45476 - Client Side Desync Attack (Informational)

Printable View
« Go Back

Information

 
Product AffectedPulse Connect Secure 9.1R15 and below.
Problem
Portswigger has provided a responsible disclosure of a vulnerability that affects the Pulse Collaboration feature. Their write up can be found here: https://portswigger.net/research/browser-powered-desync-attacks
Ivanti has also requested CVE-2022-21826.
The type of attack in this instance is a Client-Side Desync (CSD) Attack that requires an authenticated user and requires full control over an authenticated session.  This is possible between a client machine and the VPN (Pulse Connect Secure) server.
 
Solution
To immediately remediate this issue, upgrade the Pulse Connect Secure server to 9.1R16 or above. The Pulse Collaboration feature that is the target of this attack is not available in this release or any releases post 9.1R16.

Please refer to KB45487 for further information.
Workaround
Implementation
Related Links
CVSS ScoreCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Score 3.7 (Low)
Risk Assessment
Acknowledgements
Alert Type 
Risk Level 
Attachment 1 
Attachment 2 
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255