Reset Search
 

 

Article

SA44426 - 2020-04: Out-of-Cycle Advisory: Multiple Host Checker Vulnerabilities

« Go Back

Information

 
Product AffectedPulse Connect Secure, Pulse Policy Secure
Problem
This advisory provides information about the Host Checker policy enforcement vulnerabilities highlighted in CVE-2020-11580, CVE-2020-11581, and CVE-2020-11582. These vulnerabilities could allow a man-in-the-middle (MITM) attacker to perform a remote code execution (RCE) attack.
Solution
Pulse Secure has evaluated the issues reported in CVE-2020-11580, CVE-2020-11581, and CVE-2020-11582. Please refer to the below table to determine which products are affected.

As the investigation continues, we recommend subscribing to this advisory as it will be periodically updated to reflect the current status.

This issue is reported only on macOS, Linux and Solaris Clients. Agentless Host Checker uses an applet to send information to the PCS appliance.

To launch the Host Checker Applet, Browsers should support NPAPI support (technology required for Java applets). As of September, 2018, Firefox, Chrome and Safari Browsers no longer offers a version which supports NPAPI. Firefox version 52ESR is the last release to support the technology. If end users are using this version, we highly recommend to upgrade the Mozilla Firefox to latest version. PSAL support for Firefox was added in PCS 8.2r5 / PPS 5 .3r5. Previous versions of the gateways attempted to invoke Java for Firefox in macOS.

CVE-2020-11580
8.1High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
 
Pulse Connect SecureVulnerable
Pulse Policy SecureVulnerable
Pulse OneNot Vulnerable
Pulse Secure Desktop Client (Windows)Not Vulnerable
Pulse Secure Desktop Client (MAC)Not Vulnerable
Pulse Secure Desktop Client (Linux)Not Vulnerable
Pulse Mobile Client (iOS & Android)Not Vulnerable 

CVE-2020-11581
8.1 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
 
Pulse Connect SecureVulnerable
Pulse Policy SecureVulnerable
Pulse OneNot Vulnerable
Pulse Secure Desktop Client (Windows)Not Vulnerable
Pulse Secure Desktop Client (MAC)Not Vulnerable
Pulse Secure Desktop Client (Linux)Not Vulnerable
Pulse Mobile Client (iOS & Android)Not Vulnerable 

CVE-2020-11582
8.8 High CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 
Pulse Connect SecureVulnerable
Pulse Policy SecureVulnerable
Pulse OneNot Vulnerable
Pulse Secure Desktop Client (Windows)Not Vulnerable
Pulse Secure Desktop Client (MAC)Not Vulnerable
Pulse Secure Desktop Client (Linux)Not Vulnerable
Pulse Mobile Client (iOS & Android)Not Vulnerable 



Exploitation:

Pulse Secure PSIRT is not aware of any malicious exploitation for this vulnerability. 

Document History:
April 08, 2020 - Initial advisory posted
April 13, 2020 - CVE-2020-11580 CVSS Score Changed, Change description verbiage.

LEGAL DISCLAIMER
  • THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.  USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HEREFROM IS AT THE USER’S OWN RISK.  PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
  • A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS.  THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.
Workaround
  • Safari 12 and above no longer supports NPAPI. if you are using older version, please upgrade your browsers to latest version.
  • Google's Chrome version 45 and above have dropped support for NPAPI, and therefore Java Plugin do not work on these browsers anymore.
  • Firefox no longer offers a version which supports NPAPI. Firefox version 52ESR is the last release to support the technology. If end users are using 52ESR, Please recommend to upgrade the browser to latest version or use Pulse Secure Linux Client.
  • If Host Checker is not enabled on the PCS Appliance, end users are not vulnerable CVE-2020-11580, CVE-2020-11581, and CVE-2020-11582.
Implementation
Related Links
CVSS Score
Risk Assessment
Acknowledgements
Alert Type 
Risk Level 
Attachment 1 
Attachment 2 
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255