Reset Search
 

 

Article

JSA10342 - Active Directory anonymous access may enable anonymous PCS login

« Go Back

Information

 
Product AffectedPCSVersions 4.0, 4.1, 4.1.1
Problem
In a specific configuration scenario, a user may be able to enter a specially crafted username and password that will be authenticated against the Active Directory anonymous account. Since Active Directory permits any password to be used for authentication against the anonymous account, the specially crafted username and password will be accepted by Active Directory and the user will be logged in to the IVE.

For this vulnerability to occur, each of the following must be true.
1. Microsoft Active Directory Server is being used to authenticate users.
2. The "Allow domain to be specified as part of username" option is enabled on the PCS server. This is found on the Active Directory Auth Server Settings Page.
3. The Active Directory Server is allowing anonymous access.

The following versions (and their revisions and patches) of PCS software are vulnerable.
•4.0
•4.1
•4.1.1
Solution
Pulse Secure strongly urges all customers with vulnerable PCS servers to take immediate action using one of the following 2 solutions.

1. Customers can workaround the vulnerability by unselecting the "Allow domain to be specified as part of username" option on the IVE server, found on the Active Directory Auth Server Settings Page.

2. Download and install one of the PCS software versions built to address this issue. Use your current running version to determine which version you need to download.
 

If you are using this version.

Upgrade to this version.

4.0GA (Build 5531)

4.0-S2 (Build 7367)

4.0-S1 (Build 5813)

4.0-S2 (Build 7367)

4.0 Patch1 (Build 5871)

4.0 P1-S1 (Build 7365)

4.0 Patch2 (Build 6305)

4.0 P2-S1 (Build 7363)

4.0R1 (Build 6833)

4.0R1-S1 (Build 7369)

4.1GA (Build 6641)

4.1-S1 (Build 7337)

4.1R2 (Build 6991)

4.1R2-S1 (Build 7373)

4.1R3 (Build 7199)

4.1R3-S1 (Build 7345)

4.1.1GA (Build 6951)

4.1.1-S1 (Build 7335)

4.1.1R1 (Build 7387)

No Upgrade Needed.This version is not affected.



If you are having difficulties accessing the software, please contact Pulse Secure Customer Care.
Workaround
Implementation
Related Links
To access the latest software, please visit:  http://my.pulsesecure.net
CVSS Score
Risk AssessmentActive Directory anonymous access may enable anonymous IVE login.
Acknowledgements
Alert TypePSN - Product Support Notification
Risk LevelCritical
Attachment 1 
Attachment 2 
Legacy IDPSN-2004-11-003, JSA10342

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255