SA40312 - September 22 2016 OpenSSL Security Advisory

« Go Back

Information

Product Affected

Problem

On September 22, 2016 the OpenSSL project announced a group of new security advisories. These issues affect all supported versions of Pulse Secure products. For a list of supported software versions, please refer to our EOL policy.

The OpenSSL advisory can be found at the following link: https://www.openssl.org/news/changelog.html.

Solution

All Pulse Secure products were evaluated and found not vulnerable to the following CVE's:

OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
Fix Use After Free for large message sizes (CVE-2016-6309)
Missing CRL sanity check (CVE-2016-7052)
SSL_peek() hang on empty record (CVE-2016-6305)
Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307)
Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308)

Products confirmed not vulnerable:

Pulse Workspace
Pulse One
Pulse Mobile iOS (Non-FIPS)
Network Connect (Windows, Non-FIPS)

Affected Products:

Pulse Secure is currently investigating all products below to determine which products may be affected by these vulnerabilities and the impact on all supported software versions. Since the investigation is on-going, we suggest to subscribe to this advisory as this document will be periodically updated with the latest status.

SWEET32 Mitigation (CVE-2016-2183)

Pulse Connect Secure	Resolved in 8.2R6 Resolved in 8.1R11.1 8.0RX is not affected
Pulse Policy Secure	Resolved in 5.3R6 Resolved in 5.2R9
Pulse Desktop client (Windows & MAC OS X)	Resolved in 5.2R6 Resolved in 5.1R11 Resolved in 5.0R16
Pulse Mobile (Android)	Resolved in 6.2.0
Pulse Mobile (iOS) (FIPS)	Resolved in 6.2.0
Network Connect / Pulse (Linux)	Resolved in 8.2R6 Resolved in 8.1R11 Resolved in 8.0R16
Network Connect (Mac OS X)	Resolved in 8.2R6 Resolved in 8.1R11 Resolved in 8.0R16
Network Connect FIPS (Windows)	Resolved in 8.2R6 Resolved in 8.1R11 Resolved in 8.0R16
SBR Enterprise	Vulnerable
Odyssey Client (Windows)	Vulnerable

** In 8.1R11.1, 3DES ciphers was moved from "Accept only 168-bit and greater (maximize security)" to "Accept only 128-bit and greater (security and browser compatibility)". In 8.1R12, 3DES was moved from the HIGH to MEDIUM option under "Custom SSL Cipher Selection". In 8.2RX / 5.3RX release, granular cipher suites feature was added which allows the administrator to remove DES and 3DES cipher suites from the admin UI and does not require an upgrade to mitigate this issue.

OOB write in MDC2_Update() (CVE-2016-6303)

Pulse Connect Secure	Not vulnerable
Pulse Policy Secure	Not vulnerable
Pulse Desktop client (Windows & MAC OS X)	Not vulnerable
Pulse Mobile (Android)	Resolved in 6.2.0
Pulse Mobile (iOS) (FIPS)	Resolved in 6.2.0
Network Connect / Pulse (Linux)	Not vulnerable
Network Connect (Mac OS X)	Not vulnerable
Network Connect FIPS (Windows)	Not vulnerable
SBR Enterprise	Vulnerable
Odyssey Client (Windows)	Not vulnerable

Malformed SHA512 ticket DoS (CVE-2016-6302)

Pulse Connect Secure	Not vulnerable
Pulse Policy Secure	Not vulnerable
Pulse Desktop client (Windows & MAC OS X)	Resolved in 5.2R6 Resolved in 5.1R11 Resolved in 5.0R16
Pulse Mobile (Android)	Resolved in 6.2.0
Pulse Mobile (iOS) (FIPS)	Resolved in 6.2.0
Network Connect / Pulse (Linux)	Resolved in 8.2R6 Resolved in 8.1R11 Resolved in 8.0R16
Network Connect (Mac OS X)	Resolved in 8.2R6 Resolved in 8.1R11 Resolved in 8.0R16
Network Connect FIPS (Windows)	Resolved in 8.2R6 Resolved in 8.1R11 Resolved in 8.0R16
SBR Enterprise	Vulnerable
Odyssey Client (Windows)	Vulnerable

OOB write in BN_bn2dec() (CVE-2016-2182)

Pulse Connect Secure	Resolved in 8.2R6 Resolved in 8.1R11 8.0RX is not affected
Pulse Policy Secure	Resolved in 5.3R6 Resolved in 5.2R9
Pulse Desktop client (Windows & MAC OS X)	Not vulnerable
Pulse Mobile (Android)	Resolved in 6.2.0
Pulse Mobile (iOS) (FIPS)	Resolved in 6.2.0
Network Connect / Pulse (Linux)	Not vulnerable
Network Connect (Mac OS X)	Not vulnerable
Network Connect FIPS (Windows)	Not vulnerable
SBR Enterprise	Not vulnerable
Odyssey Client (Windows)	Vulnerable

OOB read in TS_OBJ_print_bio() (CVE-2016-2180)

Pulse Connect Secure	Not vulnerable
Pulse Policy Secure	Not vulnerable
Pulse Desktop client (Windows & MAC OS X)	Not vulnerable
Pulse Mobile (Android)	Resolved in 6.2.0
Pulse Mobile (iOS) (FIPS)	Resolved in 6.2.0
Network Connect / Pulse (Linux)	Not vulnerable
Network Connect (Mac OS X)	Not vulnerable
Network Connect FIPS (Windows)	Not vulnerable
SBR Enterprise	Vulnerable
Odyssey Client (Windows)	Vulnerable

Pointer arithmetic undefined behaviour (CVE-2016-2177)

Pulse Connect Secure	Not vulnerable
Pulse Policy Secure	Not vulnerable
Pulse Desktop client (Windows & MAC OS X)	Resolved in 5.2R6 Resolved in 5.1R11 Resolved in 5.0R16
Pulse Mobile (Android)	Resolved in 6.2.0
Pulse Mobile (iOS) (FIPS)	Resolved in 6.2.0
Network Connect / Pulse (Linux)	Resolved in 8.2R6 Resolved in 8.1R11 Resolved in 8.0R16
Network Connect (Mac OS X)	Resolved in 8.2R6 Resolved in 8.1R11 Resolved in 8.0R16
Network Connect FIPS (Windows)	Resolved in 8.2R6 Resolved in 8.1R11 Resolved in 8.0R16
SBR Enterprise	Vulnerable
Odyssey Client (Windows)	Vulnerable

Constant time flag not preserved in DSA signing (CVE-2016-2178)

Pulse Connect Secure	Not vulnerable
Pulse Policy Secure	Not vulnerable
Pulse Desktop client (Windows & MAC OS X)	Not vulnerable
Pulse Mobile (Android)	Resolved in 6.2.0
Pulse Mobile (iOS) (FIPS)	Resolved in 6.2.0
Network Connect / Pulse (Linux)	Not vulnerable
Network Connect (Mac OS X)	Not vulnerable
Network Connect FIPS (Windows)	Not vulnerable
SBR Enterprise	Vulnerable
Odyssey Client (Windows)	Vulnerable

DTLS buffered message DoS (CVE-2016-2179)

Pulse Connect Secure	Not vulnerable
Pulse Policy Secure	Not vulnerable
Pulse Desktop client (Windows & MAC OS X)	Not vulnerable
Pulse Mobile (Android)	Resolved in 6.2.0
Pulse Mobile (iOS) (FIPS)	Resolved in 6.2.0
Network Connect / Pulse (Linux)	Not vulnerable
Network Connect (Mac OS X)	Not vulnerable
Network Connect FIPS (Windows)	Not vulnerable
SBR Enterprise	Not vulnerable
Odyssey Client (Windows)	Not vulnerable

DTLS replay protection DoS (CVE-2016-2181)

Pulse Connect Secure	Not vulnerable
Pulse Policy Secure	Not vulnerable
Pulse Desktop client (Windows & MAC OS X)	Not vulnerable
Pulse Mobile (Android)	Resolved in 6.2.0
Pulse Mobile (iOS) (FIPS)	Resolved in 6.2.0
Network Connect / Pulse (Linux)	Not vulnerable
Network Connect (Mac OS X)	Not vulnerable
Network Connect FIPS (Windows)	Not vulnerable
SBR Enterprise	Not vulnerable
Odyssey Client (Windows)	Not vulnerable

Certificate message OOB reads (CVE-2016-6306)

Pulse Connect Secure	Resolved in 8.2R6 Resolved in 8.1R11 8.0RX is not affected
Pulse Policy Secure	Resolved in 5.3R6 Resolved in 5.2R9
Pulse Desktop client (Windows & MAC OS X)	Resolved in 5.2R6 Resolved in 5.1R11 Resolved in 5.0R16
Pulse Mobile (Android)	Resolved in 6.2.0
Pulse Mobile (iOS) (FIPS)	Resolved in 6.2.0
Network Connect / Pulse (Linux)	Resolved in 8.2R6 Resolved in 8.1R11 Resolved in 8.0R16
Network Connect (Mac OS X)	Resolved in 8.2R6 Resolved in 8.1R11 Resolved in 8.0R16
Network Connect FIPS (Windows)	Resolved in 8.2R6 Resolved in 8.1R11 Resolved in 8.0R16
SBR Enterprise	Vulnerable
Odyssey Client (Windows)	Vulnerable

Document History:

September 22nd, 2016 - Initial document posted
September 30th, 2016 - Updated various products and statuses
October 3rd, 2016 - Added SBR status for all CVE's, [CVE-2016-6308, CVE-2016-6307,CVE-2016-6305] has been confirmed not vulnerable for all Pulse Secure products
October 8th, 2016 - All products confirmed not vulnerable for CVE-2016-6304 and SBR status update for CVE-2016-6302, CVE-2016-2178, CVE-2016-2177, CVE-2016-2180, CVE-2016-6306
October 18th, 2016 - Updated tentative dates for Pulse Secure Desktop, Network Connect (Mac), Network Connect / Pulse (Linux), Network Connect FIPS (Windows)
October 31, 2016 - Additional mitigation steps provided for 8.1RX and below for CVE-2016-2183
November 10th, 2016 - Added tentative dates for PCS and PPS, 8.0RX for PCS is not affected
January 10th, 2016 - Added fixed release for Pulse Mobile iOS (FIPS) 6.2.0
February 8th, 2017 - Added tentative date for PPS 5.2R9
March 20th, 2017 - Update PCS release to 8.1R11.1 for CVE-2016-2183

Workaround

Implementation

Related Articles

SA40312 - September 22 2016 OpenSSL Security Advisory

Information

Products confirmed not vulnerable:

Affected Products:

Feedback

Was this article helpful?