Pulse Secure is currently investigating these issues. We will update this article during our progress of our research and evaluation.
Current status (only known vulnerable issues are listed):
EVP_EncodeUpdate overflow (CVE-2016-2105)
Pulse Connect Secure/Policy Secure: Vulnerable. Fixed in: 8.2r4, 8.1r10, 8.0r16, 7.4r13.7, and C5.2R7.
Linux NC: Vulnerable. Fixed in 8.2r5, 8.1r10.
EVP_EncryptUpdate overflow (CVE-2016-2106)
Pulse Connect Secure/Policy Secure: Vulnerable. Fixed in: 8.2r4, 8.1r10, 8.0r16, 7.4r13.7, and C5.2R7.
Pulse Desktop (Mac/Win): Vulnerable. Fixed in 5.2r5
Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
Not vulnerable
Memory corruption in the ASN.1 encoder (CVE-2016-2108)
Pulse Connect Secure/Policy Secure: Vulnerable. Fixed in: 8.2r4, 8.1r10, 8.0r16, 7.4r13.7, and C5.2R7.
Linux NC: Vulnerable. Fixed in 8.2r5, 8.1r10.
ASN.1 BIO excessive memory allocation (CVE-2016-2109)
Pulse Connect Secure/Policy Secure: Vulnerable. Fixed in: 8.2r4, 8.1r10, 8.0r16, 7.4r13.7, and C5.2R7.
Pulse Desktop (Mac/Win): Vulnerable. Fixed in 5.2r5
Mac NC: Vulnerable. Fixed in 8.2r5
Windows NC: Vulnerable. Fixed in: 5.2r5, 5.1r10, 5.0r16
Linux NC: Vulnerable. Fixed in 8.2r5, 8.1r10.
EBCDIC overread (CVE-2016-2176)
Not vulnerable
Document history:
May 2, 2016: Initial document posted
May 5, 2016: Product updates added
May 27th, 2016: Added updates for fixed releases. |
