The solution for these vulnerabilities is to upgrade your Pulse Connect Secure and Pulse Policy Secure server software version to the corresponding version that has the fix. The following table provides guidance on the software you should deploy depending on current software version.
|If the PCS/PPS version is installed:||Then deploy this version (or later)|
to resolve the issue:
|Expected Release||Notes (if any)|
Pulse Connect Secure 9.0RX
|Pulse Connect Secure 9.0R3.4 & 9.0R4||Available Now|| |
|Pulse Connect Secure 8.3RX||Pulse Connect Secure 8.3R7.1||Available Now|| |
|Pulse Connect Secure 8.2RX||Pulse Connect Secure 8.2R12.1||Available Now|| |
|Pulse Connect Secure 8.1RX||Pulse Connect Secure 8.1R15.1||Available Now|| |
|Pulse Policy Secure 9.0RX||Pulse Policy Secure 9.0R3.2 & 9.0R4||Available Now|| |
|Pulse Policy Secure 5.4RX||Pulse Policy Secure 5.4R7.1||Available Now|| |
|Pulse Policy Secure 5.3RX||Pulse Policy Secure 5.3R12.1||Available Now|| |
|Pulse Policy Secure 5.2RX||Pulse Policy Secure 5.2R12.1||Available Now|| |
|Pulse Policy Secure 5.1RX||Pulse Policy Secure 5.1R15.1||Available Now|| |
Exploitation and Announcements:
These vulnerabilities described in this advisory was found and properly disclosed by security researchers on March 22, 2019.
Pulse Secure PSIRT is not aware of any malicious exploitation for these vulnerabilities.
Frequently Asked Questions (FAQ):
Question 1: Can I delay the upgrade and upgrade to the next major release instead?
Answer: Some of these vulnerabilities have a critical CVSS score and pose significant risk to your deployment. Pulse Secure recommends to upgrade to the corresponding version with the fix as soon as possible. Question 2: Do I need to reboot my appliance after upgrading to the fix version?
Answer: Yes, once you upgrade your device it will automatically get rebooted. Question 3: Do I need to upgrade Pulse Secure client components on my Windows, Mac, Linux, Android, or IOS endpoints?
Answer: Although the vulnerabilities are on the PCS/PPS Server side, the client side components such as Legacy WSAM/Network Connect/Host Checker/Terminal Services will upgrade to its equivalent PCS side versions.
Therefore, the Client Machines need to have the Pulse installer service installed or have the required privileges/rights.Note :
i. Pulse Desktop Clients will upgrade on the end points if the PCS/PPS server side configuration is set to “Auto-Upgrade” with a higher Pulse Desktop Client package set to Active.
ii. iOS and Android are not impacted by any client-side component upgrade. Question 4: How do I upgrade Pulse Connect Secure / Pulse Policy Secure to resolve this vulnerability?
Answer: Download a fixed version of the Pulse Connect Secure or Pulse Policy Secure available from the Licensing & Download Center at https://my.pulsesecure.net
. Refer to KB23051
for more details.Question 5: Is there any workaround to fix this vulnerability temporarily?
Answer: No, there is not workaround. Administrator have to upgrade their devices to fixed versions.Question 6: I do not have access to my.pulsesecure.net to download the recommended PCS/PPS version.
Answer: Please refer KB40031
to Onboarding at my.pulsesecure.net. If you face any issue, please contact Pulse Secure Global Support Center.Document History:
April 24, 2019 - Initial advisory posted
April 25, 2019 - CVE-2019-11510, CVE-2019-11509, CVE-2019-11508, CVE-2019-11507, CVE-2019-11543, CVE-2019-11542, CVE-2019-11541, CVE-2019-11540, CVE-2019-11539, CVE-2019-11538 were assigned. Workaround provided for CVE-2019-11508.LEGAL DISCLAIMER
- THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HEREFROM IS AT THE USER’S OWN RISK. PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
- A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS. THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.