Reset Search
 

 

Article

SA44328 - 2019-12: Out-of-Cycle Advisory: Vulnerability could allow attackers to sniff or hijack VPN Connections (CVE-2019-14899)

« Go Back

Information

 
Product Affected
Problem
This advisory provides information about recently discovered vulnerability (CVE-2019-14899).  The flaw could be exploited by an attacker who shares the same network segment with the targeted user to determine if they are using a VPN, obtain the virtual IP address, determine if the target is currently visiting a specified website, and even inject data into the TCP stream. As per the details, it is possible to hijack active connections within the VPN tunnel.

 
Solution
Pulse Secure is currently evaluating the following issue reported in CVE-2019-14899.

Pulse Secure is currently investigating all products below to determine which products may be affected by these vulnerabilities and the impact on all supported software versions. Since the investigation is on-going, we suggest to subscribe to this advisory as this document will be periodically updated with the latest status.

CVE-2019-14899 
5.3 Medium 3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
 
Pulse Connect SecureNot Vulnerable
Pulse Policy SecureNot Vulnerable
Pulse One    Not Vulnerable
Pulse Secure Desktop Client (Windows)Not Vulnerable 
Pulse Secure Desktop Client (MAC)Vulnerable
Pulse Secure Desktop Client (Linux)Vulnerable
Pulse Mobile Client (iOS)Vulnerable
Pulse Mobile Client (Android)Vulnerable
  • Android, iOS and macOS users need to follow up with their vendors as this requires OS level update.
  • Linux users can set the reverse path filter value. However enabling rp filter might break some other functionality, else end users can configure IPTables rules.
Pulse Secure will closely monitor the situation on Android, macOS and iOS platforms.

Under Review:
Pulse Secure vADCUnder Review            
  

Exploitation:

Pulse Secure PSIRT is not aware of any malicious exploitation for this vulnerability. 

Document History:
December 06, 2019 - Initial advisory posted
December 11, 2019 - Adding information for Pulse Desktop Client and Pulse Mobile
February 10, 2020 - Updated the information for Pulse Desktop Client and Pulse Mobile.

LEGAL DISCLAIMER
  • THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.  USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HEREFROM IS AT THE USER’S OWN RISK.  PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
  • A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS.  THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.
Workaround
Implementation
Related Links
CVSS Score5.3 Medium 3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Risk Assessment
Acknowledgements
Alert Type 
Risk Level 
Attachment 1 
Attachment 2 
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255