This advisory provides information about multiple vulnerabilities resolved in Pulse Connect Secure and Pulse Policy Secure 9.0R1 & Pulse Desktop Client 9.0R2 releases. These issues apply to all releases prior to PCS and PPS 9.0R1 as well.

Refer to KB43892 - What releases will Pulse Secure apply fixes to resolve security vulnerabilities? for additional release details as per the End of Engineering (EOE) and End of Life (EOL) policies.

Additionally, these issues are resolved in the following releases:

Pulse Connect Secure:

• 9.0R1
• 8.3R6
• 8.1R14

Pulse Policy Secure:

• 9.0R1
• 5.4R6

Pulse Secure Desktop (Windows and macOS):

• 9.0R2
• 5.3R6

Pulse Secure Desktop (Windows):

 

CVE	CVSS Score (V3)	Summary
CVE-2018-16261	6.8 CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	Local unauthorized user can gain elevated privilege access due to improper certificate handling when credential provider is enabled with Pulse Desktop Client 9.0R1 and 5.3RX before 5.3R5. ***Issue is only applicable to Pulse Secure Desktop when credential provider feature is enabled.

Pulse Secure Desktop (macOS):

 

CVE	CVSS Score (V3)	Summary
CVE-2018-15865	8.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	Local privilege escalation from /tmp folder was found in Pulse Secure Desktop (macOS) in 5.1rX before 5.1R11 and 5.3Rx before 5.3R6.
CVE-2018-15726	5.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	Metacharacter injection was found in Pulse Secure Desktop (macOS) 9.0R1 and 5.3RX before 5.3R5.
CVE-2018-15749	5.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	Format string vulnerability was found in Pulse Secure Desktop (macOS) 9.0R1 and 5.3RX before 5.3R5 allows local attacker to trigger information display (of information that should not be accessible).
	7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	Information exposure issue where IPV6 DNS traffic would be sent outside of the VPN tunnel when Traffic Enforcement was enabled with Pulse Secure Desktop 9.0R1 and below. ***Applicable only to dual-stack (IPV4/IPV6) endpoints

 

Pulse Connect Secure / Pulse Policy Secure:

All issues listed below are resolved in Pulse Connect Secure and Pulse Policy Secure 9.0R1 and above:
 

CVE	CVSS Score (V3)	Applies to	Summary
CVE-2018-0486	8.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N	PCS	XMLtooling mishandles digital signatures of user attribute data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via a crafted DTD in Pulse Connect Secure 8.1RX before 8.1R13 and 8.3RX before 8.3R5.
	8.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H	PCS	A cross site scripting issue has been found with rd.cgi in Pulse Connect Secure 8.3RX before 8.3R3 due to improper header sanitization. **Not applicable to 8.1RX
	4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	PCS	A Input validation issue has been found with login_meeting.cgi in Pulse Connect Secure 8.3RX before 8.3R2.
	10 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H	PCS/PCS	Session data between cluster nodes during cluster synchronization is not properly encrypted in Pulse Connect Secure 8.3RX before 8.3R2 and Pulse Policy Secure 5.4RX before 5.4R2. **Not applicable to PCS 8.1RX, PPS 5.2RX or stand-alone devices
	5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	PCS	A hidden RPC service issue was found with Pulse Connect Secure 8.3RX before 8.3R2 and 8.1RX before 8.1R12.
	8.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H	PCS/PPS	A cross site scripting issue was found with Psaldownload.cgi in Pulse Connect Secure 8.3R2 before 8.3R2 and Pulse Policy Secure 5.4RX before 5.4R2. **Not applicable to PCS 8.1RX or PPS 5.2RX
CVE-2018-14366	7.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N	PCS/PPS	A open redirect issue was found with download.cgi with Pulse Connect Secure 8.3RX before 8.3R4, 8.1RX before 8.1R13 and Pulse Policy Secure 5.4RX before 5.4R4, 5.2RX before 5.2R10.
CVE-2018-6320	8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	PCS/PPS	An issue was found with improper validation of host header with login.cgi with Pulse Connect Secure 8.3RX before 8.3R2, 8.1RX before 8.1R12 and Pulse Policy Secure 5.4RX before 5.4R2, 5.2RX before 5.2R9.
	7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	PCS/PPS	Special crafted message can cause the web server to crash with Pulse Connect Secure 8.3RX before 8.3R5 and Pulse Policy Secure 5.4RX before 5.4R5. **Not applicable to PCS 8.1RX
	5.8 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L	PCS/PPS	A cross site scripting issue has been found with PSAL in Pulse Connect Secure 8.3RX before 8.3R5 and Pulse Policy Secure 5.4RX before 5.4R5. **Not applicable to PCS 8.1RX
A special thanks to Prashant BS for reporting a WordPress Vulnerability with the Pulse Secure website, which has been resolved.

None