JSA10379 - Security Vulnerability in Pulse Connect Secue (PCS) RADIUS authentication mechanism

If RADIUSis being used as the authentication mechanism on PCS running an affected release of the OS, then in a specific scenario, an unauthenticated user may be able to get past the authentication step of the PCS login process. This issue was due to a bug in the software which resulted in a RADIUS Access-Request packet being sent to the backend RADIUS server with some fields containing the same values as the previous Access-Request packet which may have caused the RADIUS server to believe that this Access-Request is a duplicate packet. Depending on how the backend RADIUS server is configured to handle this duplicate Access-Request packet the authentication step may or may not succeed on PCS  i.e. only if the backend RADIUS server responds with an Access-Accept packet without validating the credentials will authentication succeed. However if the RADIUS server validates the credentials presented in the (duplicate) Access-Request packet then this vulnerability does not pose any security risk.

Pulse Secure has resolved this issue in PCS version 6.0R5, 6.0R4.3, 6.0R3.2 and 6.1R2.1

Note: All future major/minor PCS releases will contain this fix. This vulnerability is not present in any 5.x or older version of PCS.

To access the latest software, please visit http://my.pulsesecure.net