Vulnerability Note VU#319904
Pulse Secure Linux client GUI fails to validate SSL certificates
The Pulse Secure Linux client GUI fails to validate SSL certificates, which can allow an attacker to modify connection settings.
By modifying traffic between a Pulse Secure Linux client GUI and a server, an attacker may be able to take actions in the Pulse Secure client GUI, as well as modify information presented to the user. This may result in the user connecting to a malicious VPN server.
Apply an update
This issue is addressed in Pulse Secure versions PULSE5.3R4.2 Software (Build 639) and PULSE5.2R9.2 Software (Build 638). Please see Pulse Secure advisory SA43620 - 2018-01 for more details. If you are unable to apply an update, please consider the following workaround:
Use the Pulse Secure Linux client CLI
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Pulse Secure||Affected||11 Dec 2017||01 Feb 2018|
CVSS Metrics (Learn More)
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
- CVE IDs: CVE-2018-6374
- Date Public: 01 Feb 2018
- Date First Published: 01 Feb 2018
- Date Last Updated: 01 Feb 2018
- Document Revision: 6
If you have feedback, comments, or additional information about this vulnerability, please send us email.