PT-2020-12696 · Pulse Secure · Pulse Connect Secure

Giulio

Published

2020-04-06

Updated

2021-09-16

CVE-2020-11580

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Pulse Secure Pulse Connect Secure (PCS) versions prior to 2020-04-06

Description An issue was discovered where the applet in tncc.jar accepts an arbitrary SSL certificate when a Host Checker policy is enforced on macOS, Linux, and Solaris clients.

Recommendations For Pulse Secure Pulse Connect Secure (PCS) versions prior to 2020-04-06, consider disabling the Host Checker policy as a temporary workaround until a patch is available. Restrict access to the tncc.jar applet to minimize the risk of exploitation.

Exploit

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

CVE-2020-11580

Affected Products

Pulse Connect Secure

PT-2020-12696 · Pulse Secure · Pulse Connect Secure

CVE-2020-11580

Weakness Enumeration

Related Identifiers

Affected Products

References · 5