PT-2018-18162 · Pulse Secure · Pulse Secure Client

Dominic Chell

Published

2018-09-12

Updated

2018-11-27

CVE-2018-7572

CVSS v2.0

7.2

High

Vector

AV:L/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Pulse Secure Client versions 5.3RX through 5.3R4 Pulse Secure Client version 9.0R1

Description The issue allows attackers to bypass Windows authentication and execute commands on the system with the privileges of Pulse Secure Client. This can be achieved by interrupting the client's network connectivity and triggering a connection to a crafted proxy server with an invalid SSL certificate, which allows certification-manager access. This access enables the attacker to browse local files and execute local programs.

Recommendations For Pulse Secure Client version 9.0R1, update to a version that includes the necessary security fixes. For Pulse Secure Client versions 5.3RX through 5.3R4, update to version 5.3R5 or later to resolve the issue.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2018-7572

Affected Products

Pulse Secure Client

PT-2018-18162 · Pulse Secure · Pulse Secure Client

CVE-2018-7572

Weakness Enumeration

Related Identifiers

Affected Products

References · 3