Reset Search
 

 

Article

SA44516 - 2020-07: Security Bulletin: Multiple Vulnerabilities Resolved in Pulse Connect Secure / Pulse Policy Secure 9.1R8

« Go Back

Information

 
Product AffectedPulse Connect Secure, Pulse Policy Secure
Problem
This advisory provides information about multiple vulnerabilities resolved in Pulse Connect Secure 9.1R8 and Pulse Policy Secure 9.1R8.

Refer to KB43892 - What releases will Pulse Secure apply fixes to resolve security vulnerabilities? per our End of Engineering (EOE) and End of Life (EOL) policies.

These issues are resolved in the following releases:
  • Pulse Connect Secure (PCS) 9.1R8
  • Pulse Policy Secure (PPS) 9.1R8
Solution
The solution for these vulnerabilities is to upgrade the Pulse Connect Secure and Pulse Policy Secure server software version to the 9.1R8. This following PCS/PPS version can be downloaded from https://my.pulsesecure.net.

Note:  The following vulnerabilities are server-side fixes only.  There is no need to upgrade the Pulse Desktop Client to resolve or mitigate the following issues. 
 
CVECVSS Score (V3)Summary
CVE-2020-82068.1 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HAttacker can bypass the Google TOTP, if the primary credentials are exposed to attacker.
CVE-2020-82187.2 High CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HAuthenticated attacker via the admin web interface can crafted URI to perform an arbitrary code execution
CVE-2020-82216.8 Medium CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:NAuthenticated attacker via the administrator web interface can read arbitrary files. 
CVE-2020-82226.8 Medium CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:NAuthenticated attacker via the administrator web interface can perform an arbitrary file reading vulnerability through Meeting.
CVE-2020-82196.6 Medium CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HA user administrator can change the password of a full Administrator.
CVE-2020-82206.5 Medium CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:HAuthenticated attacker via the administrator web interface can perform command injection that cause DOS.
CVE-2020-128806.2 Medium
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
An insider malicious actor can manipulate kernel boot parameter to gain the root access of VA Appliances
CVE-2019-115076.1 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NDOM-based link manipulation vulnerability found in the PSAL Download Page.
CVE-2020-82046.1 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NA Cross site scripting issue (XSS) has been found in URL used for PSAL Page.
CVE-2018-195195.5 Medim
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Authenticated attacker via the administrator web interface can perform a stack-based buffer attack.
CVE-2020-82175.5 Medium CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:LA Cross site scripting issue (XSS) has been found in URL used for Citrix ICA.
CVE-2020-82163.7 LOW CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NA vulnerability in meeting of Pulse Connect Secure allow an authenticated end-users to find meeting details, if they know the Meeting ID.
CVE-2020-154083.7 Low CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:NAuthenticated attacker via the end user web interface access admin page console through rewrite.
 
Document History:
July 27, 2020 - Initial advisory posted and software was posted to the Download Center.
July 28, 2020 - Adding information the following issues is not applicable to Pulse Desktop Client.

LEGAL DISCLAIMER

  • THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.  USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HERE FROM IS AT THE USER’S OWN RISK.  PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
  • A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS.  THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.
Workaround
Implementation
Related Links
CVSS Score
Risk Assessment
Acknowledgements
Pulse Secure would like to thank all researchers for reporting these vulnerability.
  • Anthony Holt from Sapphire
  • Julien Pineault from GoSecure, Inc
  • Hamoon Raphael Mehran from Early Warning Security
  • Orange Tsai and Meh Chang from DEVCORE research team
  • Cristian Mocanu from Deloitte Romania
Alert TypeSA - Security Advisory
Risk LevelHigh
Attachment 1 
Attachment 2 
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255