JSA10413 - Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS) products - Security Bundle - Authentication & Authorization Issue

Authentication & Authorization vulnerability found and fixed through a combination of internal and external proactive security testing:
- When using NTLMv1 or NTLMv2 authentication protocols for Active Directory based authentication it is possible to bypass the authentication step of the login flow. Note: This vulnerability exists only in AD/NT mode authentication servers and not in LDAP mode.

Upgrade is recommended to the following or later releases:
- PCS: 6.0R12; 6.1R8; 6.2R6; 6.3R5; 6.4R2; 6.5R1
- PPS: 3.0R2
 

1. Select only the "Kerberos" option as the authentication protocol within Active Directory authentication server configuration on the PCS or PPS. A restart of services will be required for this config change to take effect.

(OR)

2. Use strong authorization rules (role mapping rules) to reduce the impact/risk of this vulnerability; as this vulnerability can be exploited to bypass only the authentication step of the login flow (the authorization process will still be executed and may successfully restrict access to any resources) Some examples of strong authorization rules include role mapping based on group membership or role mapping based on specific attributes.

Software upgrades recommended in this Security Advisory are synchronized with the recommendations in other bulletins (JSA10414 and JSA10415). This enables customers to upgrade once and have all issues resolved with the upgrade.

Patched Software Release Service Packages are available at Pulse Secure Licensing and Download Center: https://my.pulsesecure.net. Documentation links to the relevant software’s are also available at Pulse Secure Licensing and Download Center.