Related Articles

KB15799 - Pulse Secure recommendations for mitigating VU#261869

KB30366 - Impact of Google Chrome browser’s NPAPI based plug-in deprecation on Java applets and the Pulse Secure products

KB22301 - [ Sign In Page ] Custom UI: How to change the language of the 'Browser executing scripts on the PCS User login page' warning message

KB29853 - How can I find the serial number and hardware id for my Pulse Secure products?

KB22752 - Web application breaks via rewriter when the client browser sends a POST request greater than 4kb in size

KB29805 - Pulse Connect Secure: Security configuration best practices

JSA10401 - Pulse Connect Secure (PCS) product - PCS Security Bundle - Internal System Function

KB12606 - When Clientless ActiveSync is configured, cannot access Outlook Web Access (OWA) through an IVE bookmark.

KB44764 - Customer FAQ: PCS Security Integrity Tool Enhancements

KB44938 - Host Checker fails for some security solutions through Browsers but succeeds with Pulse Desktop Client.

< Back to search results

Article

JSA10412 - VU#261869 - Clientless PCS products break web browser's domain-based security models

« Go Back

Information

Product Affected	IVE: SA_6500, SA_4500, SA_2500, SA_6000_SP, SA_6000, SA_5000, SA_4000, SA_3000, SA_2000, SA_1000, SA_700

Problem

Clientless PCS products from multiple vendors operate in a way that breaks fundamental browser security mechanisms. An attacker could use these devices to bypass authentication or conduct other web-based attacks.

Please see VU#261869 at www.cert.org for further details.

Solution

KB15799 - Pulse Secure recommendations for mitigating VU#261869 provide steps to mitigate the issue using Pulse Secure PCS product features. At the moment there is no solution available, however Pulse Secure continues to explore the best path forward to address all possible exploit paths.

Workaround

Implementation

Related Links

CVSS Score

Risk Assessment	This issue may be limited by constraining the web servers for which the PCS device rewrites content.

Acknowledgements

Pulse Secure would like to acknowledge the following customers for bringing this to our attention:
FishNet Security, Inc.
Logica Nederland BV

Alert Type	PSN - Product Support Notification

Risk Level	Medium

Attachment 1

Attachment 2

Legacy ID	PSN-2009-11-580, JSA10412