This advisory provides information about recently discovered vulnerability (CVE-2019-14899).  The flaw could be exploited by an attacker who shares the same network segment with the targeted user to determine if they are using a VPN, obtain the virtual IP address, determine if the target is currently visiting a specified website, and even inject data into the TCP stream. As per the details, it is possible to hijack active connections within the VPN tunnel.

 

Pulse Secure is currently evaluating the following issue reported in CVE-2019-14899.

Pulse Secure is currently investigating all products below to determine which products may be affected by these vulnerabilities and the impact on all supported software versions. Since the investigation is on-going, we suggest to subscribe to this advisory as this document will be periodically updated with the latest status.

CVE-2019-14899 
5.3 Medium 3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
 

Pulse Connect Secure	Not Vulnerable
Pulse Policy Secure	Not Vulnerable
Pulse One	Not Vulnerable
Pulse Secure Desktop Client (Windows)	Not Vulnerable
Pulse Secure Desktop Client (MAC)	Vulnerable
Pulse Secure Desktop Client (Linux)	Vulnerable
Pulse Mobile Client (iOS)	Resolved in iOS 13.6. Refer to Apple Release Notes
Pulse Mobile Client (Android)	Vulnerable

• Android, iOS and macOS users need to follow up with their vendors as this requires OS level update.
• Linux users can set the reverse path filter value. However enabling rp filter might break some other functionality, else end users can configure IPTables rules.

Pulse Secure vADC

Under Review

  

Exploitation:

Pulse Secure PSIRT is not aware of any malicious exploitation for this vulnerability. 

Document History:
December 06, 2019 - Initial advisory posted
December 11, 2019 - Adding information for Pulse Desktop Client and Pulse Mobile
February 10, 2020 - Updated the information for Pulse Desktop Client and Pulse Mobile.
July 25, 2020 - Added Apple Release Notes for PadOS and iOS 13.6 for CVE-2019-14899

LEGAL DISCLAIMER

• THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.  USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HEREFROM IS AT THE USER’S OWN RISK.  PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
• A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS.  THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.