PT-2013-4766 · Juniper Networks · Junos Pulse Access Control Service+1
Published
2013-06-13
·
Updated
2013-06-13
·
CVE-2013-3970
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Juniper Junos Pulse Secure Access Service (aka SSL VPN) versions 7.0r2 through 7.0r8
Juniper Junos Pulse Secure Access Service (aka SSL VPN) versions 7.1r1 through 7.1r5
Juniper Junos Pulse Access Control Service (aka UAC) versions 4.1r1 through 4.1r5
Description
The issue allows man-in-the-middle attackers to spoof SSL servers by leveraging control over a test Certification Authority (CA) certificate included in the Trusted Server CAs list.
Recommendations
For Juniper Junos Pulse Secure Access Service (aka SSL VPN) versions 7.0r2 through 7.0r8, remove the test Certification Authority (CA) certificate from the Trusted Server CAs list.
For Juniper Junos Pulse Secure Access Service (aka SSL VPN) versions 7.1r1 through 7.1r5, remove the test Certification Authority (CA) certificate from the Trusted Server CAs list.
For Juniper Junos Pulse Access Control Service (aka UAC) versions 4.1r1 through 4.1r5, remove the test Certification Authority (CA) certificate from the Trusted Server CAs list.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Junos Pulse Access Control Service
Junos Pulse Secure Access Service