CVE-2020-8260, CVE-2020-15352, CVE-2020-8255:
To protect the admin web interface, customer can follow the below steps as a workaround:
CVE-2020-8263 and CVE-2020-8262:
- Restrict admin web console to either Internal or Management interface and disable access from the Internet. For step by step instruction, refer to KB44589
- Implement 2FA or MFA based configuration administrators.
- Add realm level restrictions for admin realms and roles to provide additional protection. For more info, refer to Access Restrictions under General Access Management guide.
As a precautionary measure, customer can follow the below steps:
- Disable roaming session or limit to subnet for non-roaming user roles:
This feature ensures that if a session cookie is stolen it cannot be reused by a different IP address than the user who first logged in. This lowers the possibility of a session being stolen and reused by an attacker. This would require the end-user to re-authenticate when the source IP address is changed.
- Users: (Users > User Roles > 'role name' > General > Session Options: Roaming Session, select "Disabled").
- Admins: (Administrators > Admin Roles > 'role name' > General > Session Options: Roaming Session, select "Disabled").
- Enable HTTP Only Device Cookie under User Role. For step by step instruction, refer to KB16127
Administrators could verify and make sure that Embedded Browser and Credential Provider Settings are not enabled at the same time in the Pulse Secure Client Connection Set.
CVE-2020-8241, CVE-2020-8254 & CVE-2020-8239:
These vulnerabilities required the below configurations to fix this issue.
To fix this issue, disable the Dynamic certificate trust option. Dynamic certificate trust—Determines whether users can opt to trust unknown certificates. If you select this check box, a user can ignore warnings about invalid certificates and connect to the target Pulse server. Details
An administrator could implement the same for Mobile Users.
Enable Server certificate trust enforcement: System > Configuration > Mobile > Select "Enabled" under Server certificate trust enforcement.
This vulnerability can also be mitigated by disabling the "Allow saving logon information" under Pulse Secure Connection Set Options to mitigate this issue. Details