Reset Search



SA43730 - 2018-04 Security Bulletin: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0R1 and vTM 18.1

« Go Back


Product AffectedPulse Connect Secure, Pulse Policy Secure, Virtual Traffic Manager
This advisory provides information about multiple vulnerabilities resolved in Pulse Connect Secure 9.0R1, Pulse Policy Secure 9.0R1 and Virtual Traffic Manager 18.1 releases.

Refer to KB43892 - What releases will Pulse Secure apply fixes to resolve security vulnerabilities? per our End of Engineering (EOE) and End of Life (EOL) policies.

These issues are resolved in the following releases:

Pulse Connect Secure:
  • 9.0R1
  • 8.3R5
  • 8.2R11
  • 8.1R14
Pulse Policy Secure:
  • 9.0R1
  • 5.4R4
  • 5.3R11
  • 5.2R10
Virtual Traffic Manager:
  • 18.1
  • 17.2r1
  • 10.4r2
  • 9.9r3
CVECVSS Score (V3)Summary
The SNMP agent (snmp_agent.c) in net-snmp before 5.4.1 allows remote attackers to cause a denial of service (CPU and memory consumption) via a GETBULK request with a large max-repeaters value.
Pulse Connect Secure 8.1.x before 8.1R14, 8.2.x before 8.2R11, and 8.3.x before 8.3R5 do not properly process nested XML entities, which allows remote attackers to cause a denial of service (memory consumption and memory errors) via a crafted XML document.
6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
A cross site scripting issue has been found in welcome.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.1.x before 8.1R12, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 due to one of the URL parameters not being sanitized properly.
An issue was discovered in the IPv6 protocol specification, related to ICMP Packet Too Big (PTB) messages. (The scope of this CVE is all affected IPv6 implementations from all vendors.) The security implications of IP fragmentation have been discussed at length in [RFC6274] and [RFC7739]. An attacker can leverage the generation of IPv6 atomic fragments to trigger the use of fragmentation in an arbitrary IPv6 flow (in scenarios in which actual fragmentation of packets is not needed) and can subsequently perform any type of fragmentation-based attack against legacy IPv6 nodes that do not implement [RFC6946
6.4 CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Samba client code always requests a forwardable ticket
when using Kerberos authentication. This means the
target server, which must be in the current or trusted
domain/realm, is given a valid general purpose Kerberos
"Ticket Granting Ticket" (TGT), which can be used to
fully impersonate the authenticated user or service
5.0 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

A remote, authenticated, attacker can cause the winbindd process
to crash using a legitimate Kerberos ticket due to incorrect
handling of the arcfour-hmac-md5 PAC checksum.

A local service with access to the winbindd privileged pipe can
cause winbindd to cache elevated access permissions.

 8.3 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:HA cross site scripting issue has been found in new_object.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.1.x before 8.1R13, 8.2.x before 8.2R10, and 8.3.x before 8.3R4 due to one of the URL parameters not being sanitized properly.
 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NPulse Policy Secure 5.2RX before 5.2R9 and 5.3RX before 5.3R2 does not apply inbound SSL connection cipher suite changes to enforcer connections (port 11123)

Virtual Traffic Manager:
CVECVSS Score (V3)Summary
A stored cross-site scripting (XSS) vulnerability in the web administration user interface of Pulse Secure Virtual Traffic manager (vTM) may allow a remote authenticated attacker to inject web script or HTML via a crafted website and steal sensitive data and credentials. Affected releases are Pulse Secure vTM 9.9 version prior to 9.9r2, 10.4r1 and 17.2r1.
Pulse Secure Virtual Traffic Manager 9.9 version prior to 9.9r2, 10.4r1, and 17.2r1 allow a remote authenticated user to obtain sensitive historical activity information by leveraging incorrect permission validation.
Related Links
CVSS Score
Risk Assessment
Thank you to Ekzhin Ear from NATO Communications and Information Agency Cyber Security for discovering a XSS issue with the vTM and responsibly reporting to Pulse Secure.
Alert TypeSA - Security Advisory
Risk Level 
Attachment 1 
Attachment 2 
Legacy ID



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255