Updated: December, 28 8:25 AM PST
The following table has the Pulse Secure status for the issues in this OpenSSL advisory:
| CVE ID | Description | Status | CVSS Base Score |
|---|
| DTLS segmentation fault in dtls1_get_record | CVE-2014-3571 | Not vulnerable | |
| DTLS memory leak in dtls1_buffer_record | CVE-2015-0206 | Not vulnerable | |
| no-ssl3 configuration sets method to NULL | CVE-2014-3569 | Not vulnerable | |
| ECDHE silently downgrades to ECDH [Client] | CVE-2014-3572 | Pulse Secure Desktop resolved in: 5.0r11 and 5.1r3 | 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) |
RSA silently downgrades to EXPORT_RSA [Client]
AKA SSL "FREAK" | CVE-2015-0204 | Vulnerable: PRS-322311.
Required Configuration refer to [2].
PCS resolved in: 7.1r22, 8.0r10, and 8.1r2.1.
PPS resolved in: C5.0r10 and C5.1r2.1. | 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:N) |
| DH client certificates accepted without verification [Server] | CVE-2015-0205 | Vulnerable: PRS-322313. PCS/PPS are vulnerable if DH client certificates are deployed (rare deployment).
Pulse client is vulnerable only when the PCS/PPS is vulnerable.Please refer to the workaround section.
PCS resolved in: 7.1r22, 8.0r10, and 8.1r2.1.
PPS resolved in: C5.0r10 and C5.1r2.1. | 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) |
| Certificate fingerprints can be modified | CVE-2014-8275 | Not vulnerable | |
| Bignum squaring may produce incorrect results | CVE-2014-3570 | Not vulnerable | |
[1] These issues are low risk because the impact is only found on malicious servers. Our Pulse client uses a proprietary protocol and thus can only connect to servers that were built by our company. Therefore, the impact is greatly reduced or even eliminated.
[2] The required configuration is to disable 56-bit and 40-bit ciphers (This will include all EXPORT and “weak” ciphers). To disable export cipher suites, navigate to System > Configuration > Security > SSL Options > Allow Encryption Strength should be set with "Custom SSL Cipher Option", then select AES/3DES and AES Cipher Suites. Under Encryption Strength Option, enable the checkbox for ‘Do not allow connections from browsers that only accept weaker ciphers’.
