Reset Search
 

 
Article

SA40168 - [Pulse Secure] March 1st 2016 OpenSSL Security Advisory

Printable View
« Go Back

Information

 
Product AffectedAll products are potentially affected
Problem
On March 1st 2016 the OpenSSL project announced new security advisories. These issues may affect Pulse Secure products. The OpenSSL advisory can be found at the following link: https://www.openssl.org/news/secadv/20160301.txt

Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
Double-free in DSA code (CVE-2016-0705)
Memory leak in SRP database lookups (CVE-2016-0798)
BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
Fix memory issues in BIO_*printf functions (CVE-2016-0799)
Side channel attack on modular exponentiation (CVE-2016-0702)
Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703)
Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
Solution
This security advisory will be updated as our investigation continues.

Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
 
Pulse Connect SecureNot Vulnerable**

Mitigation for 7.1:

From the admin UI, disable SSLv2.
Pulse Policy SecureNot Vulnerable
Pulse Secure Desktop Client (Windows & Mac OS X)Not Vulnerable
Pulse Secure Client - iOSResolved in 6.0.1
Pulse Secure Client - AndroidNot Vulnerable
Pulse WorkSpace / OneNot Vulnerable
Windows Inbox (Windows 8 and 8.1)Not Vulnerable
Network Connect (Windows & Mac)Not Vulnerable
Network Connect (Linux) / Pulse Secure (Linux)Not Vulnerable
SBR

Vulnerable**

Mitigation: 

SSLv2 can be disabled
via configuration minimumProtocolVersion
in sbr_administration.xml file


Double-free in DSA code (CVE-2016-0705)​
 
Pulse Connect SecureNot Vulnerable
Pulse Policy SecureNot Vulnerable
Pulse Secure Desktop Client (Windows & Mac OS X)Not Vulnerable
Pulse Secure Client - iOSResolved in 6.0.1
Pulse Secure Client - AndroidResolved in 6.0.1
Pulse WorkSpace / OneNot Vulnerable
Windows Inbox (Windows 8 and 8.1)Not Vulnerable
Network Connect (Windows & Mac)Resolved in 8.2R3
Resolved in 8.1R9
Resolved in 8.0R15
Network Connect (Linux) / Pulse Secure (Linux)
Resolved in 8.2R4
Resolved in 8.1R10
Resolved in 8.0R16
SBRNot Vulnerable


Memory leak in SRP database lookups (CVE-2016-0798)
 
Pulse Connect SecureNot Vulnerable
Pulse Policy SecureNot Vulnerable
Pulse Secure Desktop Client (Windows & Mac OS X)Not Vulnerable
Pulse Secure Client - iOSResolved in 6.0.1
Pulse Secure Client - AndroidResolved in 6.0.1
Pulse WorkSpace / OneNot Vulnerable
Windows Inbox (Windows 8 and 8.1)Not Vulnerable
Network Connect (Windows & Mac)Not Vulnerable
Network Connect (Linux) / Pulse Secure (Linux)Not Vulnerable
SBRNot Vulnerable

BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)​
 
Pulse Connect SecureResolved in 8.2R3
Resolved in 8.1R10
Resolved in 8.0R16
Resolved in 7.4R13.7 
Pulse Policy SecureResolved in 5.3R3
Resolved in 5.2R7
Pulse Secure Desktop Client (Windows & Mac OS X)Not Vulnerable
Pulse Secure Client - iOSResolved in 6.0.1
Pulse Secure Client - AndroidResolved in 6.0.1
Pulse WorkSpace / OneNot Vulnerable
Windows Inbox (Windows 8 and 8.1)Not Vulnerable
Network Connect (Windows & Mac)Resolved in 8.2R3
Resolved in 8.1R9
​Resolved in 8.0R15
Network Connect (Linux) / Pulse Secure (Linux)
Resolved in 8.2R4
Resolved in 8.1R10
Resolved in 8.0R16
Odyssey (Windows)Not Vulnerable
SBRUnder Investigation

Fix memory issues in BIO_*printf functions (CVE-2016-0799)​
 
Pulse Connect SecureResolved in 8.2R3
Resolved in 8.1R10
Resolved in 8.0R16
Resolved in 7.4R13.7
Pulse Policy SecureResolved in 5.3R3
Resolved in 5.2R7
Pulse Secure Desktop Client (Windows & Mac OS X)Resolved in 5.2R3
Resolved in 5.1R9
Pulse Secure Client - iOSResolved in 6.0.1
Pulse Secure Client - AndroidResolved in 6.0.1
Pulse WorkSpace / OneNot Vulnerable
Windows Inbox (Windows 8 and 8.1)Not Vulnerable
Network Connect (Windows & Mac)Resolved in 8.2R3
Resolved in 8.1R9
​Resolved in 8.0R15
Network Connect (Linux) / Pulse Secure (Linux)
Resolved in 8.2R4
Resolved in 8.1R10
Resolved in 8.0R16
Odyssey (Windows)Under Investigation
SBRVulnerable

Side channel attack on modular exponentiation (CVE-2016-0702)
 
Pulse Connect SecureNot Vulnerable
Pulse Policy SecureNot Vulnerable
Pulse Connect Secure / Pulse Policy Secure
Virtual Appliance (VA)		Vulnerable
Pulse Secure Desktop Client (Windows & Mac OS X)Resolved in 5.2R3
Resolved in 5.1R9
Pulse Secure Client - iOSNot Vulnerable
Pulse Secure Client - AndroidNot Vulnerable
Pulse WorkSpace / OneNot Vulnerable
Windows Inbox (Windows 8 and 8.1)Vulnerable
Network Connect (Windows & Mac)Resolved in 8.2R3
Resolved in 8.1R9
​Resolved in 8.0R15
Network Connect (Linux) / Pulse Secure (Linux)
Resolved in 8.2R4
Resolved in 8.1R10
Resolved in 8.0R16
Odyssey (Windows)Under Investigation
SBRNot Vulnerable


Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703)​
 
Pulse Connect SecureNot Vulnerable
Pulse Policy SecureNot Vulnerable
Pulse Secure Desktop Client (Windows & Mac OS X)Not Vulnerable
Pulse Secure Client - iOSNot Vulnerable
Pulse Secure Client - AndroidNot Vulnerable
Pulse WorkSpace / OneNot Vulnerable
Windows Inbox (Windows 8 and 8.1)Not Vulnerable
Network Connect (Windows & Mac)Not Vulnerable
Network Connect (Linux) / Pulse Secure (Linux)Not Vulnerable
Odyssey (Windows)Not Vulnerable
SBR

Vulnerable**

Mitigation: 

SSLv2 can be disabled
via configuration minimumProtocolVersion
in sbr_administration.xml file.


Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
 
Pulse Connect SecureNot Vulnerable**

Mitigation for 7.1:

From the admin UI, disable SSLv2.
Pulse Policy SecureNot Vulnerable
Pulse Secure Desktop Client (Windows & Mac OS X)Not Vulnerable
Pulse Secure Client - iOSNot Vulnerable
Pulse Secure Client - AndroidNot Vulnerable
Pulse WorkSpace / OneNot Vulnerable
Windows Inbox (Windows 8 and 8.1)Not Vulnerable
Network Connect (Windows & Mac)Not Vulnerable
Network Connect (Linux) / Pulse Secure (Linux)Not Vulnerable
Odyssey (Windows)Not Vulnerable
SBR

Vulnerable**

Mitigation: 

SSLv2 can be disabled
via configuration minimumProtocolVersion
in sbr_administration.xml file.

Document history:
March 1st, 2016 -- Initial document posted
March 3nd, 2016 -- Updated various products with current status
March 7th, 2016 - Adjustment to CVE-2016-0702 (Applicable only to Virtual Appliances)
March 9th, 2016 - Added additional mitigation for 7.1 for CVE-2016-0704 & CVE-2016-0800
March 30th, 2016 -- Added iOS and Android updates.
April 1st, 2016 - Updated CVE-2016-0703 Mac/Win Pulse Desktop status
April 5th, 2016 - Updated CVE-2016-0705 PCS/PPS status, CVE-2016-0799 PCS/PPS status, CVE-2016-0702 Pulse Desktop, CVE-2016-0702 Pulse Desktop
April 7th, 2016 - Updated CVE-2016-0797 PCS/PPS status
May 5th, 2016 - Added product ETAs to mobile clients
June 27th, 2016 - Added fixed version for Network Connect (Windows & Mac), Network Connect (Linux), and Pulse Secure (Linux)
July 5th, 2016 - Updated ETAs for Pulse Secure Mobile Clients.
August 1st, 2016 - Updated ETAs for Pulse Secure Mobile Clients to Mid-August
August 9th, 2016 - Updated tentative dates for CVE-2016-0797 and CVE-2016-0799
Workaround
Implementation
Related Links
CVSS Score
Risk Assessment
Acknowledgements
Alert TypeSA - Security Advisory
Risk Level 
Attachment 1 
Attachment 2 
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255