Reset Search
 

 
Article

SA43582 - Out-of-Cycle Advisory: Virtual Traffic Manager (vTM) Password Management Vulnerability/Sensitive Data Protection Vulnerability/Principle Of Least Privilege Violation

Printable View
« Go Back

Information

 
Product AffectedVirtual Traffic Manager (vTM) 9.9R2, 10.4R1, 17.2, 17.3 and below
Problem
A vulnerability in vTM could allow an remote attacker to gain unauthorized access to a targeted system. The vulnerability is due to an insufficiently secure derivation method for the zcli “passwordless” account password.

To exploit this issue, an attacker may need access to a trusted or internal networks in which the target vTM resides. This access requirement could reduce the likelihood of a successfully exploit.
Solution
A fix for this issue is included in Pulse Secure Virtual Traffic Manager versions 9.9R3, 10.4R2, 17.2R1 and 17.4.
Workaround
If an upgrade is not possible, administrators are advised to only allow trusted hosts between the clustered vTMs.
Implementation
Related Links
CVSS Score8.0 AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Risk Assessment
Acknowledgements
Alert TypeSA - Security Advisory
Risk LevelHigh
Attachment 1 
Attachment 2 
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255