The Pulse Secure Linux client GUI fails to validate SSL certificates, which can allow an attacker to modify connection settings.
By modifying traffic between a Pulse Secure Linux client GUI and a server, an attacker may be able to take actions in the Pulse Secure client GUI, as well as modify information presented to the user. This may result in the user connecting to a malicious VPN server.
Apply an update
This issue is addressed in Pulse Secure versions PULSE5.3R4.2 Software (Build 639) and PULSE5.2R9.2 Software (Build 638). Please see Pulse Secure advisory SA43620 - 2018-01 for more details. If you are unable to apply an update, please consider the following workaround:
Use the Pulse Secure Linux client CLI
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
|Date First Published:||2018-02-01|
|Date Last Updated:||2018-02-01 22:29 UTC|