SA43681 - 2016-11: CSRF vulnerability with Brocade Virtual Traffic Manager (vTM) (CVE-2016-8201)

A CSRF vulnerability in Pulse Secure Virtual Traffic Manager versions released prior to and including 11.0, could allow an attacker to trick a logged-in user into making administrative changes on the traffic manager cluster.

This issue is applicable to all Pulse Secure Virtual Traffic Manager versions released prior to and including 11.0.  No other Pulse Secure products are currently known to be affected by this vulnerability.

CVE-2016-8201 has been applied to this vulnerability.

Pulse Secure has fixed the vulnerability described in this advisory in Brocade Virtual Traffic Manager Versions 11.1, 10.4r1, 9.9r2 and later releases. The patch releases have been posted to the Pulse Secure customer portal.

Minimizing exposure to this vulnerability can be done by the following means:

• Reducing the amount of time an administrator is logged into the web user interface by actively logging out at the end of each administration session.
• Ensuring the permissions for each administrator account are reduced to the minimal set required in line with the principle of least privilege.
• Avoiding using any untrusted service/system/network while logged in as an administrator via the web user interface.

A broader workaround is to prevent access to untrusted service/system/network while using the web user interface, potentially by partitioning and isolating the management network. To restrict administrative access to only be available via a single IP address, see the bindip configuration setting. Other administrative interfaces, specifically the REST API, SOAP API and zcli utility, are not impacted by this vulnerability and can be used to perform a wide range of administrative operations.


Document History:

November 26, 2016 - Initial publication on Brocade website
March 12, 2018 - Republish advisory on Pulse Secure website

This issue was reported by Sven Schleier of Vantage Point Security.