Pulse Secure has evaluated the issues reported in CVE-2020-11580, CVE-2020-11581, and CVE-2020-11582. Please refer to the below table to determine which products are affected.
As the investigation continues, we recommend subscribing to this advisory as it will be periodically updated to reflect the current status.
This issue is reported only on macOS, Linux and Solaris Clients. Agentless Host Checker uses an applet to send information to the PCS appliance.
To launch the Host Checker Applet, Browsers should support NPAPI support (technology required for Java applets). As of September, 2018, Firefox, Chrome and Safari Browsers no longer offers a version which supports NPAPI. Firefox version 52ESR is the last release to support the technology. If end users are using this version, we highly recommend to upgrade the Mozilla Firefox to latest version. PSAL support for Firefox was added in PCS 8.2r5 / PPS 5 .3r5. Previous versions of the gateways attempted to invoke Java for Firefox in macOS.
CVE-2020-115808.1High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
| Pulse Connect Secure | Vulnerable |
| Pulse Policy Secure | Vulnerable |
| Pulse One | Not Vulnerable |
| Pulse Secure Desktop Client (Windows) | Not Vulnerable |
| Pulse Secure Desktop Client (MAC) | Not Vulnerable |
| Pulse Secure Desktop Client (Linux) | Not Vulnerable |
| Pulse Mobile Client (iOS & Android) | Not Vulnerable |
CVE-2020-115818.1 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
| Pulse Connect Secure | Vulnerable |
| Pulse Policy Secure | Vulnerable |
| Pulse One | Not Vulnerable |
| Pulse Secure Desktop Client (Windows) | Not Vulnerable |
| Pulse Secure Desktop Client (MAC) | Not Vulnerable |
| Pulse Secure Desktop Client (Linux) | Not Vulnerable |
| Pulse Mobile Client (iOS & Android) | Not Vulnerable |
CVE-2020-115828.8 High CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
| Pulse Connect Secure | Vulnerable |
| Pulse Policy Secure | Vulnerable |
| Pulse One | Not Vulnerable |
| Pulse Secure Desktop Client (Windows) | Not Vulnerable |
| Pulse Secure Desktop Client (MAC) | Not Vulnerable |
| Pulse Secure Desktop Client (Linux) | Not Vulnerable |
| Pulse Mobile Client (iOS & Android) | Not Vulnerable |
Exploitation:
Pulse Secure PSIRT is not aware of any malicious exploitation for this vulnerability.
Document History:April 08, 2020 - Initial advisory posted
April 13, 2020 - CVE-2020-11580 CVSS Score Changed, Change description verbiage.
LEGAL DISCLAIMER
- THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HEREFROM IS AT THE USER’S OWN RISK. PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
- A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS. THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.
