Reset Search
 

 

Article

SA44503 - 2020-06: Out-of-Cycle Advisory: Pulse Secure Client TOCTOU Privilege Escalation Vulnerability (CVE-2020-13162)

« Go Back

Information

 
Product AffectedThis issue impacts the following products:

Pulse Secure (Windows) Desktop client
Pulse Secure Installer Service (Windows) Client
Problem
A security vulnerability was discovered within a Pulse Secure client-side component (Windows OS only). This is a client-side exploit only and does not affect the PCS or PPS gateway (server) device. By exploiting this vulnerability, a restricted user on an endpoint machine can obtain administrative privilege.

CVE-2020-13162 has been applied to this vulnerability.

Affected Product Versions:

Pulse Secure Desktop Client:

  • Pulse Secure Desktop Client (Windows) 9.1R5 or below
  • Pulse Secure Desktop Client (Windows) 9.0Rx
  • Pulse Secure Desktop Client (Windows) 5.3Rx

Pulse Secure Installer Service:

  • Pulse Secure Installer Service (Windows) 9.1R5 or below
  • Pulse Secure Installer Service (Windows) 9.1Rx
  • Pulse Secure Installer Service (Windows) 8.3Rx

Note:

  • Only versions that have not gone past the end-of-engineering milestones are reviewed and mentioned in the above list
  • Pulse Connect Secure and Pulse Policy Secure versions are not impacted with this vulnerability. 
  • Pulse Desktop Client is forward and backward compatible with all supported versions of Pulse Connect Secure (PCS) software.

This vulnerability does not impact the following Pulse Secure Clients:
  • All versions of Pulse Secure Desktop Client for Mac OS X
  • All versions of Pulse Secure Universal App for Windows
  • All versions of Pulse Secure Mobile Client for iOS
  • All versions of Pulse Secure Chrome OS
  • All versions of Pulse Secure Mobile Client for Android
  • All versions of Pulse Secure Desktop Client for Linux
  • All versions of Network Connect, Host Checker, WSAM and Windows Terminal Services Clients
Refer to KB43892 - What releases will Pulse Secure apply fixes to resolve security vulnerabilities? per our End of Engineering (EOE) and End of Life (EOL) policies.
Solution

The solution for this issue is to update the endpoint machine with a fixed version of the impacted Pulse Secure client software.
To know which updated client software to deploy, refer the below table. The below table indicates which software needs to be deployed depending on the type of client installed on your endpoint machines.

 

If the below client is InstalledThen deploy this version (Or later)ReleaseNote (If any)
Pulse Secure Desktop Client 9.1R5 or belowPulse Secure Desktop Client 9.1R6 or aboveDownloadKB44485
PDC 9.1R6 fails to fails to install on non-English Windows 10 X64
Pulse Secure Installer Service 9.1R5 or belowPulse Secure Installer Service 9.1R6 or aboveEXE
MSI
9.1R7 Pulse Secure Installer Service is available for download.


Frequently Asked Questions (FAQ):

Question 1: I have both the Pulse Secure Desktop client and the Standalone Installer Service client installed on my machine. Do I need to upgrade both products?
Answer: Yes, upgrading both Pulse Secure clients are necessary. 

Question 2: I have multiple clients versions installed. Which client should I upgrade to fix all affected clients?
Answer: The recommended version is use Pulse Secure Desktop Client 9.1R6 or above and Pulse Secure Installer Server 9.1R6 or later.

Question 3: What clients are impacted by this vulnerability?
Answer: All Windows OS (Windows 10 and Windows 8 etc) end points running an affected version of Pulse Secure Desktop Client or Installer Server are susceptible to this issue.

Question 4:  I do not use the affected clients anymore.  Can I uninstall them to fix the vulnerability instead of upgrading?
Answer:  Yes.  If you do not use any of the vulnerable client components (listed above), then you may uninstall them to mitigate the risk of the vulnerability. However, you must ensure that all impacted client components are uninstalled.

Question 5: How do I deploy the patched Pulse Secure Desktop clients to my endpoints?
Answer: If you intend to deploy a patched Pulse Secure Desktop Client, upload the client bundle to your PCS or PPS gateway, configure it as the active version, and have your end users connect to the gateway. The Pulse Secure Desktop Client will auto-upgrade upon connection. Alternatively, you could distribute the Pulse Secure Desktop Client to your endpoints through an out-of-band software-distribution mechanism like SMS. For details, refer to Pulse Secure Desktop admin guide about Upgrading Pulse Secure Client.

Question 6: How do I deploy the patched Installer Service clients to my endpoints?
Answer: Currently the only option to upgrade installer Service Client is by distributing the patched Standalone Installer Service client to your endpoints through an out-of-band software-distribution mechanism like SMS or by providing the client package to your end-user by other means.

 
Note: The Standalone Installer service client package is available in two format (exe and msi). If you have a previous version of the Installer Service installed, then you can invoke the Installer Service ".exe" file as a restricted user. The ".exe" version of the Installer Service will communicate with the existing Installer Service and essentially bootstrap itself without requiring administrative privileges. But if you instead invoke the Installer Service ".msi" file, then you must be an administrative user.

Question 7: I don't use the Pulse Secure Desktop client. I use Host Checker and have the standalone Installer Service client along with it. How do I fix the vulnerable Standalone Installer Service client ?
Answer: Install the patched Standalone Installer Service client bundle to the client machine, as listed in the table above.

Question 8: Do I need to upgrade PCS/PPS device as well?
Answer:
No, The solution for this issue is to update the endpoint machine with a fixed version of the impacted Pulse Secure client software. PCS/PPS gateway upgrade is not required.

Exploitation:

Pulse Secure PSIRT is not aware of any malicious exploitation for this vulnerability. 

Document History:
June 17, 2020 - Initial advisory posted.
June 17, 2020 - KB44485 added in the Notes.
June 17, 2020 - Updated FAQ and Detailed Affected version details added.
June 18, 2020 - Uploaded 9.1R7 Pulse Secure Installer Service MSI and EXE. 

LEGAL DISCLAIMER

  • THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.  USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HEREFROM IS AT THE USER’S OWN RISK.  PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
  • A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS.  THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.
Workaround
Not Applicable
Implementation
Not Applicable
Related Links
CVSS Score7.8 High CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Risk AssessmentNot Applicable
Acknowledgements
Alert TypeSA - Security Advisory
Risk LevelHigh
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255