The solution for these vulnerabilities is to upgrade the Pulse Connect Secure and Pulse Policy Secure server software version to the 9.1R8. This following PCS/PPS version can be downloaded from
https://my.pulsesecure.net.
Note: The following vulnerabilities are server-side fixes only. There is no need to upgrade the Pulse Desktop Client to resolve or mitigate the following issues.
| CVE | CVSS Score (V3) | Summary |
| CVE-2020-8206 | 8.1 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | Attacker can bypass the Google TOTP, if the primary credentials are exposed to attacker.
NOTE: If PCS TOTP Auth Server is configured as Remote Server, both PCS should need to be upgraded. |
| CVE-2020-8218 | 7.2 High CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | Authenticated attacker via the admin web interface can crafted URI to perform an arbitrary code execution |
| CVE-2020-8221 | 6.8 Medium CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N | Authenticated attacker via the administrator web interface can read arbitrary files. |
| CVE-2020-8222 | 6.8 Medium CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N | Authenticated attacker via the administrator web interface can perform an arbitrary file reading vulnerability through Meeting. |
| CVE-2020-8219 | 6.6 Medium CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H | A user administrator can change the password of a full Administrator. |
| CVE-2020-8220 | 6.5 Medium CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H | Authenticated attacker via the administrator web interface can perform command injection that cause DOS. |
| CVE-2020-12880 | 6.2 Medium
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | An insider malicious actor can manipulate kernel boot parameter to gain the root access of VA Appliances |
| CVE-2019-11507 | 6.1 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | DOM-based link manipulation vulnerability found in the PSAL Download Page. |
| CVE-2020-8204 | 6.1 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | A Cross site scripting issue (XSS) has been found in URL used for PSAL Page. |
| CVE-2018-19519 | 5.5 Medim
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | Authenticated attacker via the administrator web interface can perform a stack-based buffer attack. |
| CVE-2020-8217 | 5.5 Medium CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L | A Cross site scripting issue (XSS) has been found in URL used for Citrix ICA. |
| CVE-2020-8216 | 3.7 LOW CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N | A vulnerability in meeting of Pulse Connect Secure allow an authenticated end-users to find meeting details, if they know the Meeting ID. |
| CVE-2020-15408 | 3.7 Low CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N | Authenticated attacker via the end user web interface access admin page console through rewrite. |
Document History:July 27, 2020 - Initial advisory posted and software was posted to the Download Center.
July 28, 2020 - Adding information the following issues is not applicable to Pulse Desktop Client.
Jan 7, 2020 - Adding additional information for CVE-2020-8206.
LEGAL DISCLAIMER
- THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HERE FROM IS AT THE USER’S OWN RISK. PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
- A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS. THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.
