These issues are resolved in the following releases:
Pulse Connect Secure (PCS) 9.1R8.2
Pulse Policy Secure (PPS) 9.1R8.2
Solution
The solution for these vulnerabilities is to upgrade the Pulse Connect Secure and Pulse Policy Secure server software version to the 9.1R8.2. Pulse Secure has released software updates that address these vulnerabilities.This following PCS/PPS version can be downloaded from https://my.pulsesecure.net.
Note:The following vulnerabilities are server-side fixes only. There is no need to upgrade the Pulse Desktop Client to resolve or mitigate the following issues.
Pulse Connect Secure / Pulse Policy Secure:
CVE
CVSS Score (V3)
Summary
CVE-2020-8243
7.2 High CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
A vulnerability in the admin web interface could allow an authenticated attacker to upload custom template to perform an arbitrary code execution.
CVE-2020-8238
6.5 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
A vulnerability in the authenticated user web interface of PCS/PPS could allow attackers to conduct Cross-Site Scripting (XSS).
CVE-2020-8256
4.9 Medium CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
A vulnerability in the admin web interface could allow an authenticated attacker to gain arbitrary file reading access via XML External Entity (XXE) vulnerability. This vulnerability only affect PCS.
Document History: Sep 23, 2020 - Initial advisory posted and software was posted to the Download Centre.
LEGAL DISCLAIMER
THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HERE FROM IS AT THE USER’S OWN RISK. PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS. THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.
Workaround
CVE-2020-8243 and CVE-2020-8256: To protect the admin web interface, customer can follow the below steps as workaround:
Restrict admin web console to either Internal or Management interface and disable access from Internet. For step by step instruction, refer to KB44589
Implement 2FA or MFA based configuration administrators.
CVE-2020-8238: As a precautionary measure, customer can follow the below steps:
Disable roaming session or limit to subnet for non-roaming user roles: This feature ensures that if a session cookie is stolen it cannot be reused by a different IP address than the user who first logged in. This lowers the possibility of a session being stolen and reused by an attacker. This would require the end user to re-authenticate when the source IP address is changed.
Users: (Users > User Roles > 'role name' > General > Session Options: Roaming Session, select "Disabled").
Pulse Secure would like to thank all researchers for reporting these vulnerabilities.
Rich Warren from NCC Group FSAS David Cash from NCC Group FSAS Maxime Nadeau from GoSecure, Inc Romain Carnus from GoSecure, Inc Simon Nolet from GoSecure, Inc Jean-Frédéric Gauron from GoSecure, Inc Temuujin Darkhantsetseg from GoSecure, Inc Julien Pineault from GoSecure, Inc
