Reset Search
 

 
Article

SA40006 - Details on fixes for SSL/TLS MITM vulnerability (CVE-2014-0224)

Printable View
« Go Back

Information

 
Product Affected
Problem
The following products and versions are vulnerable to the OpenSSL vulnerability CVE-2014-0224

The vulnerability exists when both the client AND  the server are vulnerable.

Server-side:
  • Pulse Connect Secure software versions 7.4Rx and 8.0Rx:
    • Please note that Pulse Connect Secure software version 7.1Rx, 7.2Rx and 7.3Rx uses openssl version which is NOT vulnerable on the server side, but clients mentioned below delivered from the server are still vulnerable, as all OpenSSL client versions are vulnerable. Please note that the vulnerability can only be exploited if both server and client are vulnerable to this issue. In the event if only one of the two is vulnerable, there is no risk of exploitation.
Client-Side:
  • All Pulse Secure Desktop versions
  • All Host Checker versions
  • All Network Connect for Linux versions
  • All Network Connect (FIPS) versions
  • Network Connect for Mac OS X (depedent on the openssl version installed on Mac OS X)
  • All Pulse Secure Mobile for iOS FIPS versions
  • All Pulse Secure Mobile for Android versions

The following products and versions are not vulnerable:
  • All Windows Network Connect (Non-FIPS) versions
  • All Pulse Secure Mobile for iOS (Non-FIPS) versions
  • All JSAM (Java Secure Application Manager) / WSAM (Windows Secure Application Manager) versions
  • Windows In-Box Pulse Secure client on Windows 8.1
  • Pulse Secure Mobile for Windows Phone 8.1 versions
Solution
Last Update: 10.00 a.m. June 25th 2014 Pacific Daylight Savings.

OpenSSL MITM vulnerability (CVE-2014-0224) is resolved in the following releases:
  • Pulse Connect Secure Version 8.0R4.1 and Pulse Secure Desktop Version 5.0R4.1
    • Additional issues below are resolved in this release:
      • CVE-2014-0198 SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
      • CVE-2010-5298 SSL_MODE_RELEASE_BUFFERS session injection or denial of service
      • CVE-2014-3470 Anonymous ECDH denial of service - Please note that Secure Access is not vulnerable, but the patches were implemented.
  • Pulse Connect Secure 7.4R11.1 and Pulse Secure Desktop Version 4.0R11.1
    • Additional issues below are resolved in this release:
      • CVE-2014-0198 SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
      • CVE-2010-5298 SSL_MODE_RELEASE_BUFFERS session injection or denial of service
      • CVE-2014-3470 Anonymous ECDH denial of service - Please note that Secure Access is not vulnerable, but the patches were implemented.
  • Pulse Connect Secure 7.1R19.1
    • Please note, the server side is not vulnerable.  7.1r19.1 will be made available to address the Linux Network Connect clients. For Pulse Secure Desktop clients, please use the Pulse Secure Desktop 5.0r4.1 or 4.0r11.1 releases.
** - For Virtual Appliance (VA) SPE and DTE versions download and upgrade the PCS software to apply the fix.
** - Network Connect for Mac OS X leverages the openssl version installed on Mac OS X. Please note that the vulnerability (OpenSSL MITM vulnerability (CVE-2014-0224)) can only be exploited if both server and client are vulnerable to this issue. In the event if only one of the two is vulnerable, there is no risk of exploitation. Hence patching the server side will help mitigate the issue.
** - For Core Access / Rewriter 8.0r4.1 and 7.4r11.1 addresses the server side fixes and for client side please refer to your Browser vendor. However, the vulnerability (OpenSSL MITM vulnerability (CVE-2014-0224)) can only be exploited if both server and client are vulnerable to this issue. In the event if only one of the two is vulnerable, there is no risk of exploitation. Hence patching the server side will help mitigate the issue.

Clients on Mobile Platforms *** :
  • Pulse Secure Mobile for iOS (FIPS) versions is resolved in 5.0r6
  • Pulse Secure Mobile for Android versions is resolved in 5.0r6

*** - Please note that the vulnerability (OpenSSL MITM vulnerability (CVE-2014-0224)) can only be exploited if both server and client are vulnerable to this issue. In the event if only one of the two is vulnerable, there is no risk of exploitation. Hence patching the server side will help mitigate the issue.
Workaround
Implementation
Related Links
CVSS Score
Risk Assessment
Acknowledgements
Alert TypePSN - Product Support Notification
Risk LevelMedium
Attachment 1 
Attachment 2 
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255