JSA10380 - Security Vulnerability in Pulse Policy Secure Platform's Radius Authentication Server used in a Realm not doing Radius Proxy.

When using a Radius authentication server in a realm configured with the "Do Not Proxy" option, an unauthenticated user may bypass the authentication step of the PPS login process. A bug in the affected PPS firmware allows a new Radius Access-Request packet to be sent to the backend Radius server with some Radius attributes containing values that duplicate the values in a previously authenticated Access-Request packet. This duplication of fields in the new Access-Request allows the Radius server to treat the new Access-Request as a duplicate of the previous Access-Request. In this case, the Radius server could return an Access-Accept message to the PPS without validating the credentials in the new Access-Request. Thus, a user might be authenticated by the PPS without the backend Radius server authenticating that user’s credentials.

Pulse Secure has resolved this issue in PPS firmware version 2.1R4. Note: All future major/minor PPS firmware releases will contain this fix. This vulnerability is not present in any 1.x version of the PPS firmware.