JSA10571 - 2013-06 Security Bulletin: Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS): Internal and test Certificate Authority Root Servers unintentionally added to Trusted CA list

The Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS) software use Trusted Server CA Root Certificate list in order to verify the validity of certificates.

Internal and development test Certificate Authority (CA) Root Certificate configuration was inadvertently added into release builds posted on our download site. If a person was able to gain control of a Certificate Authority that the PCS/PPS was configured to trust, they could potentially create a certificate for any domain of their choice.

An example of how Trusted Server CAs are used:

A user is browsing through the Pulse Connect Secure rewriter to a secure socket website (https), the Pulse Connect Secure is acting as the https client, and therefore will use its list of Certificate Authorities to verify if the backend https server has a certificate that is valid. If the certificate is found to be valid the user will not see any errors. However, if the certificate validation fails, the user would see an error that states that "the site's certificate is not valid, would you like to continue?" The problem with having Certificate Authorities on the device that you do not trust is that if someone can take control of the CA, then they can produce certificates that will appear valid to users.

Please see the Risk Assessment section for an explanation on how an attack could take place.

The inadvertent adding of the Root CA Certificates was a mistake made during the development testing process. The issue was seen from PCS version 7.1R1 to 7.1R5, 7.0R2 to 7.0R8, and PPS 4.1R1 to 4.1R5. Note: If you have never used PCS 7.1R1 to 7.1R5, 7.0R2 to 7.0R8 or PPS 4.1R1 to 4.1R5 you would not see this issue.

Pulse Secure SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was found during proactive internal security audits.

This issue is known as CVE-2013-3970

The extra CAs that were accidentally added need to be removed to restore the integrity of the CA store.

Software updates to PCS and PPS have been released to resolve this issue. Releases containing the fix include PCS 7.1R7 or higher and PPS OS 4.1R6 or higher.

 

• Solution for PCS 7.2rX or PPS 4.2rX or higher who once were upgraded from an affected release (PCS version 7.1R1 to 7.1R5, 7.0R2 to 7.0R8, and PPS 4.1R1 to 4.1R5)
  • Note: PCS 7.2, 7.3, 7.4, PPS 4.2, 4.3 and 4.4 who once were upgraded from an affected release will need to reset the Trusted CA Server list with the reset button on the following admin page:
    • System --> Configuration --> Certifications --> Trusted Server CAs. The "Reset Trusted Server CAs" button is a feature that was added for customers who would like a easy way of resetting their Trusted CA Server list back to the default list.
    • Optional: Once you have restored your CA list to the default you can then re-add any custom CAs that you've added to your device

 

If you are running any 7.2 or higher release or if you can upgrade to 7.2 you can simply use the "Reset Trusted Server CAs" button on the Trusted CA Servers page. This is a new feature that was added for customers who would like a easy way of resetting their Trusted CA Server list back to the default CAs. This feature was first added to 7.2r1. The feature consists of a button on the Trusted CA Servers list page, labeled: "Reset Trusted Server CAs". Once you have restored your CA list you can then add any custom CAs that you've added to your device.