Reset Search
 

 

Article

JSA10412 - VU#261869 - Clientless PCS products break web browser's domain-based security models

« Go Back

Information

 
Product AffectedIVE: SA_6500, SA_4500, SA_2500, SA_6000_SP, SA_6000, SA_5000, SA_4000, SA_3000, SA_2000, SA_1000, SA_700
Problem
Clientless PCS products from multiple vendors operate in a way that breaks fundamental browser security mechanisms. An attacker could use these devices to bypass authentication or conduct other web-based attacks.

Please see VU#261869 at www.cert.org for further details.
Solution
KB15799 - Pulse Secure recommendations for mitigating VU#261869 provide steps to mitigate the issue using Pulse Secure PCS product features. At the moment there is no solution available, however Pulse Secure continues to explore the best path forward to address all possible exploit paths.
Workaround
Implementation
Related Links
CVSS Score
Risk AssessmentThis issue may be limited by constraining the web servers for which the PCS device rewrites content.
Acknowledgements
Pulse Secure would like to acknowledge the following customers for bringing this to our attention:
FishNet Security, Inc.
Logica Nederland BV
Alert TypePSN - Product Support Notification
Risk LevelMedium
Attachment 1 
Attachment 2 
Legacy IDPSN-2009-11-580, JSA10412

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255