Reset Search



SA40015 - OpenSSL security advisory for January 8th, 2015 (including SSL "FREAK" issue)

« Go Back


Product Affected
On January 8th 2015, the OpenSSL project released a security advisory. This advisory included eight (8) new CVEs. This article will describe the vulnerability and fix status for the Pulse Connect Secure product.

The OpenSSL advisory for these issues can be found here:
Updated: December, 28 8:25 AM PST

The following table has the Pulse Secure status for the issues in this OpenSSL advisory:


CVE IDDescriptionStatusCVSS Base Score
DTLS segmentation fault in dtls1_get_recordCVE-2014-3571Not vulnerable 
DTLS memory leak in dtls1_buffer_recordCVE-2015-0206Not vulnerable 
no-ssl3 configuration sets method to NULLCVE-2014-3569Not vulnerable 
ECDHE silently downgrades to ECDH [Client]CVE-2014-3572Pulse Secure Desktop resolved in: 5.0r11 and 5.1r32.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
RSA silently downgrades to EXPORT_RSA [Client] 
CVE-2015-0204Vulnerable: PRS-322311.
Required Configuration refer to [2]. 
PCS resolved in: 7.1r22, 8.0r10, and 8.1r2.1.
PPS resolved in: C5.0r10 and C5.1r2.1.
5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
DH client certificates accepted without verification [Server]CVE-2015-0205Vulnerable: PRS-322313.  PCS/PPS are vulnerable if DH client certificates are deployed (rare deployment).
Pulse client is vulnerable only when the PCS/PPS is vulnerable.Please refer to the workaround section.
PCS resolved in: 7.1r22, 8.0r10, and 8.1r2.1.
PPS resolved in: C5.0r10 and C5.1r2.1.
5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Certificate fingerprints can be modifiedCVE-2014-8275Not vulnerable 
Bignum squaring may produce incorrect resultsCVE-2014-3570Not vulnerable 

[1]  These issues are low risk because the impact is only found on malicious servers.  Our Pulse client uses a proprietary protocol and thus can only connect to servers that were built by our company.  Therefore, the impact is greatly reduced or even eliminated.

[2] The required configuration is to disable 56-bit and 40-bit ciphers (This will include all EXPORT and “weak” ciphers). To disable export cipher suites, navigate to System > Configuration > Security > SSL Options > Allow Encryption Strength should be set with "Custom SSL Cipher Option", then select AES/3DES and AES Cipher Suites. Under Encryption Strength Option, enable the checkbox for ‘Do not allow connections from browsers that only accept weaker ciphers’.

Related Links
CVSS Score
Risk Assessment
Alert TypePSN - Product Support Notification
Risk LevelMedium
Attachment 1 
Attachment 2 
Legacy ID



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255