Reset Search
 

 
Article

SA44601 - 2020-10: Security Bulletin: Multiple Vulnerabilities Resolved in Pulse Connect Secure / Pulse Policy Secure / Pulse Secure Desktop Client 9.1R9

Printable View
« Go Back

Information

 
Product AffectedPulse Connect Secure, Pulse Policy Secure, Pulse Secure Desktop Client
Problem
This advisory provides information about multiple vulnerabilities resolved in Pulse Connect Secure 9.1R9, Pulse Policy Secure 9.1R9 and Pulse Secure Desktop Client 9.1R9.

Refer to KB43892 - What releases will Pulse Secure apply fixes to resolve security vulnerabilities? per our End of Engineering (EOE) and End of Life (EOL) policies.

Affected Versions:
  • Pulse Connect Secure (PCS) 9.1Rx or below
  • Pulse Policy Secure (PPS) 9.1Rx or below
  • Pulse Secure Desktop Client (PDC) 9.1Rx or below
These issues are resolved in the following releases:
  • Pulse Connect Secure (PCS) 9.1R9
  • Pulse Policy Secure (PPS) 9.1R9
  • Pulse Secure Desktop Client 9.1R9
Solution
The solution for these vulnerabilities is to upgrade the Pulse Connect Secure, Pulse Policy Secure, and Pulse Secure Desktop Client software version to the 9.1R9. Pulse Secure has released software updates that address these vulnerabilities. This following PCS/PPS & PDC version can be downloaded from https://my.pulsesecure.net.

Pulse Secure Desktop Client (Linux):
 
CVECVSS Score (V3)Summary
CVE-2020-82487.8 High CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HPulse Secure Desktop Client (Linux) could allow local attackers to escalate privilege.
CVE-2020-82497.8 High CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HPulse Secure Desktop Client (Linux) could allow local attackers to perform buffer overflow.
CVE-2020-82507.8 High CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HPulse Secure Desktop Client (Linux) could allow local attackers to escalate privilege.
Pulse Secure Desktop Client (Windows & MAC)
 
CVECVSS Score (V3)SummaryRecommendations
CVE-2020-82418.1 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Pulse Secure Desktop Client could allow the attacker to perform MITM Attack if end users are convinced to connect to a malicious server.
 		This vulnerability does not require a PDC upgrade. To improve the security of connections between Pulse clients and Pulse Connect Secure, see below recommendation(s):
  • Disable Dynamic certificate trust for PDC.
Check the workaround section to configure settings on PCS/PPS. 
CVE-2020-82407.8 High CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HA restricted user on an endpoint machine can use system-level privileges if Embedded Browser is configured with Credential Provider. This vulnerability only affects Windows PDC if the Embedded Browser is configured with the Credential Provider.This vulnerability is only exploitable when Embedded Browser is configured along with Credential Provider. An administrator can disable either one of the options to mitigate this issue.

Or 

Upgrade PDC to 9.1R9
CVE-2020-82546.8 Medium CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:HPulse Secure Desktop Client has Remote Code Execution (RCE) if users are convinced to connect to a malicious server. This vulnerability only affects Windows PDC.To improve the security of connections between Pulse clients and Pulse Connect Secure, see below recommendation(s):
  • Disable Dynamic certificate trust for PDC.

or 

Upgrade PDC to 9.1R9

CVE-2020-82395.9 Medium CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NPulse Secure Desktop Client is vulnerable to client registry privilege escalation attack. This fix also requires Server Side Upgrade due to Standalone Host Checker Client (Windows) and Windows PDC.To improve the security of connections between Pulse clients and Pulse Connect Secure, see below recommendation(s):
  • Disable Dynamic certificate trust for PDC.

or 

Upgrade PCS/PPS and PDC to 9.1R9

CVE-2020-89563.8 Low CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:NThe malicious actor can decrypt the saved password if the "Save settings" option is selected in the client while entering the password. This vulnerability only affects Windows PDC.This issue was fixed in 9.1R4 and the above versions to enhance the security. An administrator can also disable "Allow saving logon information" under Pulse Secure Connection Set Options to mitigate this issue.

Or 

Upgrade PDC to 9.1R9


Pulse Connect Secure / Pulse Policy Secure:
 
CVECVSS Score (V3)    Summary
CVE-2020-82607.2 High CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HA vulnerability in the admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.
CVE-2020-8261  6.5 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HPCS/PPS is vulnerable to arbitrary cookie injection.
CVE-2015-9251
CVE-2019-11358		6.1 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NPrototype Pollution issue to avoid Cross-Site Scripting (XSS) issue fixed in the outdated jQuery.
CVE-2020-82625.8 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:NA vulnerability in the authenticated user web interface of PCS/PPS could allow attackers to conduct Cross-Site Scripting (XSS) and Open Redirection. 
CVE-2020-153525.5 Medium CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:LA vulnerability in the admin web interface could allow an authenticated attacker to perform SSRF via XML External Entity (XXE) vulnerability.

CVE-2020-8255		4.9 Medium CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NA vulnerability in the admin web interface could allow an authenticated attacker to perform an arbitrary file reading vulnerability is fixed using encrypted URL blacklisting that prevents these messages.
CVE-2020-82634.6 Medium CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:LA vulnerability in the authenticated user web interface of PCS could allow attackers to conduct Cross-Site Scripting (XSS) through the CGI file.

Document History:
Oct 26, 2020 - Initial advisory posted and software was posted to the Download Centre.

LEGAL DISCLAIMER

  • THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.  USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HERE FROM IS AT THE USER’S OWN RISK.  PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
  • A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS.  THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.
Workaround
CVE-2020-8260, CVE-2020-15352, CVE-2020-8255:

To protect the admin web interface, customer can follow the below steps as a workaround:
  • Restrict admin web console to either Internal or Management interface and disable access from the Internet. For step by step instruction, refer to KB44589
  • Implement 2FA or MFA based configuration administrators.
  • Add realm level restrictions for admin realms and roles to provide additional protection. For more info, refer to Access Restrictions under General Access Management guide.
CVE-2020-8263  and CVE-2020-8262:

As a precautionary measure, customer can follow the below steps:
  • Disable roaming session or limit to subnet for non-roaming user roles: 
    This feature ensures that if a session cookie is stolen it cannot be reused by a different IP address than the user who first logged in. This lowers the possibility of a session being stolen and reused by an attacker.  This would require the end-user to re-authenticate when the source IP address is changed.
  1. Users: (Users > User Roles > 'role name' > General > Session Options: Roaming Session, select "Disabled").
  2. Admins: (Administrators > Admin Roles > 'role name' > General > Session Options: Roaming Session, select "Disabled").
  • Enable HTTP Only Device Cookie under User Role. For step by step instruction, refer to KB16127 


CVE-2020-8240

Administrators could verify and make sure that Embedded Browser and Credential Provider Settings are not enabled at the same time in the Pulse Secure Client Connection Set.

CVE-2020-8241, CVE-2020-8254 & CVE-2020-8239:

These vulnerabilities required the below configurations to fix this issue.
PDC:
To fix this issue, disable the Dynamic certificate trust option. Dynamic certificate trust—Determines whether users can opt to trust unknown certificates. If you select this check box, a user can ignore warnings about invalid certificates and connect to the target Pulse server. Details

An administrator could implement the same for Mobile Users.
Mobile:
Enable Server certificate trust enforcement: System > Configuration > Mobile > Select "Enabled" under Server certificate trust enforcement.

CVE-2020-8956

This vulnerability can also be mitigated by disabling the "Allow saving logon information" under Pulse Secure Connection Set Options to mitigate this issue. Details


 

Implementation
Related Links
CVSS Score
Risk Assessment
Acknowledgements
Pulse Secure would like to thank all researchers for reporting these vulnerabilities.
  • Rich Warren from NCC Group FSAS
  • David Cash from NCC Group FSAS
  • Matei "Mal" Badanoiu from Deloitte Romania
  • Security Team from Hulu
  • Security Team from QUILTER LLC
  • David Kierznowski (Independent Researcher). 
  • Cristian Mocanu from Deloitte Romania
  • Quentin Kaiser from Gremwell
  • Sahil Mahajan
Alert TypeSA - Security Advisory
Risk LevelHigh
Attachment 1 
Attachment 2 
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255