Home

SA44588 - 2020-09: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.1R8.2

Pulse Connect Secure, Pulse Policy Secure
This advisory provides information about multiple vulnerabilities resolved in Pulse Connect Secure 9.1R8.2, Pulse Policy Secure 9.1R8.2

Refer to KB43892 - What releases will Pulse Secure apply fixes to resolve security vulnerabilities? per our End of Engineering (EOE) and End of Life (EOL) policies.


Affected Versions:
  • Pulse Connect Secure (PCS) 9.1Rx or below
  • Pulse Policy Secure (PPS) 9.1Rx or below
These issues are resolved in the following releases:
  • Pulse Connect Secure (PCS) 9.1R8.2
  • Pulse Policy Secure (PPS) 9.1R8.2
The solution for these vulnerabilities is to upgrade the Pulse Connect Secure and Pulse Policy Secure server software version to the 9.1R8.2. Pulse Secure has released software updates that address these vulnerabilities.This following PCS/PPS version can be downloaded from https://my.pulsesecure.net.
 
Note:  The following vulnerabilities are server-side fixes only.  There is no need to upgrade the Pulse Desktop Client to resolve or mitigate the following issues. 

Pulse Connect Secure / Pulse Policy Secure:
 
CVECVSS Score (V3)Summary
CVE-2020-82437.2 High CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HA vulnerability in the admin web interface could allow an authenticated attacker to upload custom template to perform an arbitrary code execution.
 
CVE-2020-82386.5 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

A vulnerability in the authenticated user web interface of PCS/PPS could allow attackers to conduct Cross-Site Scripting (XSS). 

CVE-2020-8256

4.9 Medium CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

A vulnerability in the admin web interface could allow an authenticated attacker to gain arbitrary file reading access via XML External Entity (XXE) vulnerability. This vulnerability only affect PCS.


Document History:
Sep 23, 2020 - Initial advisory posted and software was posted to the Download Centre.

LEGAL DISCLAIMER

  • THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.  USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HERE FROM IS AT THE USER’S OWN RISK.  PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
  • A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS.  THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.
CVE-2020-8243 and CVE-2020-8256: To protect the admin web interface, customer can follow the below steps as workaround:
  • Restrict admin web console to either Internal or Management interface and disable access from Internet. For step by step instruction, refer to KB44589
  • Implement 2FA or MFA based configuration administrators.
  • Add realm level restrictions for admin realms and roles to provide additional protection. For more info, refer to Access Restrictions under General Access Management guide.
CVE-2020-8238: As a precautionary measure, customer can follow the below steps:
  • Disable roaming session or limit to subnet for non-roaming user roles: 
    This feature ensures that if a session cookie is stolen it cannot be reused by a different IP address than the user who first logged in. This lowers the possibility of a session being stolen and reused by an attacker.  This would require the end user to re-authenticate when the source IP address is changed.
  1. Users: (Users > User Roles > 'role name' > General > Session Options: Roaming Session, select "Disabled").
  2. Admins: (Administrators > Admin Roles > 'role name' > General > Session Options: Roaming Session, select "Disabled").
  • Enable HTTP Only Device Cookie under User Role. For step by step instruction, refer to KB16127 
Pulse Secure would like to thank all researchers for reporting these vulnerabilities.

Rich Warren from NCC Group FSAS
David Cash from NCC Group FSAS
Maxime Nadeau from GoSecure, Inc
Romain Carnus from GoSecure, Inc
Simon Nolet from GoSecure, Inc
Jean-Frédéric Gauron from GoSecure, Inc
Temuujin Darkhantsetseg from GoSecure, Inc
Julien Pineault from GoSecure, Inc
SA - Security Advisory
Medium