SA40196 - [Pulse Secure] Badlock security advisory (CVE-2016-2118)

The Samba team has released (8) new security advisories. The issue known as "Badlock" was included in this new group of issues.

CVE-2016-2118 SAMR and LSA man in the middle attacks possible
Pulse Connect Secure: Vulnerable:
Resolved in 8.2R5
Resolved in 8.1R10

Pulse Policy Secure: Vulnerable:
Resolved in 5.3R5
Resolved in 5.2R8

CVE-2015-5370 Multiple errors in DCE-RPC code
Pulse Connect Secure: Vulnerable:
Resolved in 8.2R5
Resolved in 8.1R10

Pulse Policy Secure: Vulnerable:
Resolved in 5.3R5
Resolved in 5.2R8

CVE-2016-2110 Man in the middle attacks possible with NTLMSSP
Pulse Connect Secure: Vulnerable:
Resolved in 8.2R5
Resolved in 8.1R10

Pulse Policy Secure: Vulnerable:
Resolved in 5.3R5
Resolved in 5.2R8

CVE-2016-2113 Missing TLS certificate validation
Pulse Connect Secure: Vulnerable:
Resolved in 8.2R5
Resolved in 8.1R10

Pulse Policy Secure: Vulnerable:
Resolved in 5.3R5
Resolved in 5.2R8

Pulse Connect Secure / Pulse Policy Secure are not vulnerable to the following issues:
CVE-2016-2111 NETLOGON Spoofing Vulnerability
CVE-2016-2112 LDAP client and server don't enforce integrity
CVE-2016-2114 "server signing = mandatory" not enforced
CVE-2016-2114 "server signing = mandatory" not enforced
CVE-2016-2115 SMB IPC traffic is not integrity protected

This advisory will be updated as more information is made.

Pulse Secure is currently working to resolve these new issues.

Document History:
April 12th, 2016 -- Initial posting
May 5th, 2016 -- Added findings
July 1st, 2016 -- Provided ETA release dates
August 2nd, 2016 -- Updated ETA release dates, Added PPS release versions and release dates, minor format changes