The Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS) software use Trusted Server CA Root Certificate list in order to verify the validity of certificates.
Internal and development test Certificate Authority (CA) Root Certificate configuration was inadvertently added into release builds posted on our download site. If a person was able to gain control of a Certificate Authority that the PCS/PPS was configured to trust, they could potentially create a certificate for any domain of their choice.
An example of how Trusted Server CAs are used:
A user is browsing through the Pulse Connect Secure rewriter to a secure socket website (https), the Pulse Connect Secure is acting as the https client, and therefore will use its list of Certificate Authorities to verify if the backend https server has a certificate that is valid. If the certificate is found to be valid the user will not see any errors. However, if the certificate validation fails, the user would see an error that states that "the site's certificate is not valid, would you like to continue?" The problem with having Certificate Authorities on the device that you do not trust is that if someone can take control of the CA, then they can produce certificates that will appear valid to users.
Please see the Risk Assessment section for an explanation on how an attack could take place.
The inadvertent adding of the Root CA Certificates was a mistake made during the development testing process. The issue was seen from PCS version 7.1R1 to 7.1R5, 7.0R2 to 7.0R8, and PPS 4.1R1 to 4.1R5. Note: If you have never used PCS 7.1R1 to 7.1R5, 7.0R2 to 7.0R8 or PPS 4.1R1 to 4.1R5 you would not see this issue.
Pulse Secure SIRT is not aware of any malicious exploitation of this vulnerability.
This issue was found during proactive internal security audits.
This issue is known as
CVE-2013-3970