Reset Search
 

 

Article

SA43903 - Response to SegmentSmack (CVE-2018-5390) and FragmentSmack (CVE-2018-5391)

« Go Back

Information

 
Product Affected
Problem
SegmentSmack (CVE-2018-5390) and FragmentSmack (CVE-2018-5391) are described as a TCP implementation denial of service vulnerability. A remote attacker can send crafted sequences of TCP/IP packets may cause excessive CPU utilization to create a denial of service (DOS) conditions on the system. This attack requires a successfully two-way TCP connection to an open port, thus the attacker cannot be performed using spoofed IP addresses.

These issues apply to the following releases:
  • Pulse Connect Secure 9.0RX
  • Pulse Connect Secure 8.3RX
  • Pulse Policy Secure 9.0RX
  • Pulse Policy Secure 5.4RX

Refer to KB43892 - What releases will Pulse Secure apply fixes to resolve security vulnerabilities? for additional release details as per the End of Engineering (EOE) and End of Life (EOL) policies.
Solution
The following issue will be resolved in the following releases:
  • Pulse Connect Secure 9.0R4
  • Pulse Policy Secure 9.0R4
Pulse Secure is working on a fix other versions and will continue to update the advisory with tentative timelines.

Document History:
October 2, 2018 - Initial publication October 2, 2018
April 29, 2019 - Updated fixed version for Pulse Connect Secure and Pulse Policy Secure
    Workaround
    Implementation
    Related Links
    CVSS Score7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
    Risk Assessment
    Acknowledgements
    Alert TypeSA - Security Advisory
    Risk LevelHigh
    Attachment 1 
    Attachment 2 
    Legacy ID

    Feedback

     

    Was this article helpful?


       

    Feedback

    Please tell us how we can make this article more useful.

    Characters Remaining: 255