SA40423 - January 26, 2017 OpenSSL Security Advisory

On January 26, 2017 the OpenSSL project announced a group of new security advisories. These issues affect all supported versions of Pulse Secure products. For a list of supported software versions, please refer to our EOL policy.

The OpenSSL advisory can be found at the following link: https://www.openssl.org/news/changelog.html.

Pulse Secure is currently evaluating the following issues reported by OpenSSL:


Truncated packet could crash via OOB read (CVE-2017-3731) 
 

Pulse Connect Secure	Affected if RC4 is enabled** Not affected if RC4 is disabled
Pulse Policy Secure	Affected if RC4 is enabled** Not affected if RC4 is disabled
Pulse Desktop client (Windows & MAC OS X)	Resolved in 5.2R8 & 5.1R12
Pulse Mobile (Android)	Affected***
Pulse Mobile (iOS) / (FIPS)	Not affected
Network Connect / Pulse (Linux)	Resolved in 8.2R8 & 8.1R13
Network Connect Windows / macOS	Not affected
Network Connect FIPS (Windows)	Resolved in 8.2R8 & 8.1R12
SBR Enterprise	Under Investigation
Odyssey Client (Windows)	Under Investigation

** To mitigate this issue, the administrator can disable RC4 on PCS/PPS devices. Please refer to KB30342 - How to disable RC4 cipher suites on a Pulse Connect Secure (PCS) device
*** Applicable to Android 4.4.4 and below only.  Google has disabled RC4 in Android 5.0 and above.

Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)
 

Pulse Connect Secure	Not affected
Pulse Policy Secure	Not affected
Pulse Desktop client (Windows & MAC OS X)	Not affected
Pulse Mobile (Android)	Not affected
Pulse Mobile (iOS) / (FIPS)	Not affected
Network Connect / Pulse (Linux)	Not affected
Network Connect (Mac OS X)	Not affected
Network Connect FIPS (Windows)	Not affected
SBR Enterprise	Under Investigation
Odyssey Client (Windows)	Under Investigation

BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)​
 

Pulse Connect Secure	Not affected
Pulse Policy Secure	Not affected
Pulse Desktop client (Windows & MAC OS X)	Not affected
Pulse Mobile (Android)	Not affected
Pulse Mobile (iOS) / (FIPS)	Not affected
Network Connect / Pulse (Linux)	Not affected
Network Connect (Mac OS X)	Not affected
Network Connect FIPS (Windows)	Not affected
SBR Enterprise	Under Investigation
Odyssey Client (Windows)	Under Investigation

Montgomery multiplication may produce incorrect results (CVE-2016-7055)
 

Pulse Connect Secure	Not affected
Pulse Policy Secure	Not affected
Pulse Desktop client (Windows & MAC OS X)	Not affected
Pulse Mobile (Android)	Not affected
Pulse Mobile (iOS) / (FIPS)	Not affected
Network Connect / Pulse (Linux)	Not affected
Network Connect (Mac OS X)	Not affected
Network Connect FIPS (Windows)	Not affected
SBR Enterprise	Under Investigation
Odyssey Client (Windows)	Under Investigation

Document History:

February 17, 2017 - Updated PCS, PPS, Pulse Mobile and Pulse Desktop impact
February 23, 2017 - Updated Network Connect and Pulse Mobile status
February 28, 2017 - Updated tentative date for CVE-2017-3731 for Network Connect / Pulse Linux client
March 1, 2017 - Updated CVE-2017-3730 status for PCS / PPS
April 6, 2017 - Updated CVE-2017-3731 status for Network Connect FIPS (Windows)