JSA10361 - Pulse Connect Secure (PCS) ActiveX client vulnerability

Summary:
A malicious web site could trick an PCS users to click a link exploiting a vulnerability present in the ActiveX component of the PCS client software

Details:
When using Internet Explorer to access the PCS device, an ActiveX control is automatically downloaded to perform various tasks. This ActiveX control could be invoked in a web page on a malicious website by using the standard HTML "object" notation. The "object" tag contains the control to be loaded (in this case the PCS ActiveX) and provides a list of parameters and values that get passed.

A stack overflow currently exists in the way the PCS ActiveX control parses those parameters which could lead to remote code execution in the context of Internet Explorer.

Acknowledgement:
Pulse Secure extends a special thank you to Eeye for reporting and working to resolve this issue with our engineering teams.

Disclaimer:
Pulse Secure is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. Pulse Secure expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. Pulse Secure may change this notice at any time.
 

Recommended Actions:
Upgrade the PCS software to any of the following patched versions:

• 5.3R2.1
• 5.2R4.1
• 5.1R8
• 5.0R6.1
• 4.2R8.1