cnvd - cnvd-2020-21825

CNVD-2020-21825

Vulnerability from cnvd - Published: 2020-04-08

Title

Pulse Secure Pulse Connect Secure和Pulse Policy Secure加密问题漏洞

Description

Pulse Secure Pulse Connect Secure（又名PCS，前称Juniper Junos Pulse）和Pulse Policy Secure都是美国Pulse Secure公司的产品。Pulse Connect Secure是一套SSL VPN解决方案。Pulse Policy Secure是一套网络准入控制解决方案。 Pulse Secure PCS 8.3R2之前的8.3RX版本和PPS 5.4R2之前的5.4RX版本中存在加密问题漏洞。该漏洞源于网络系统或产品未正确使用相关密码算法，导致内容未正确加密、弱加密、明文存储敏感信息等。攻击者可利用该漏洞获取敏感信息。

Severity

高

Patch Name

Pulse Secure Pulse Connect Secure和Pulse Policy Secure加密问题漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://www.pulsesecure.net/

Reference

https://www.pulsesecure.net/

Impacted products

Name
['Pulse Secure Pulse Connect Secure 8.3R，<8.3R2', 'Pulse Secure Pulse Policy Secure 5.4R，<5.4R2']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-20810",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2018-20810"
    }
  },
  "description": "Pulse Secure Pulse Connect Secure\uff08\u53c8\u540dPCS\uff0c\u524d\u79f0Juniper Junos Pulse\uff09\u548cPulse Policy Secure\u90fd\u662f\u7f8e\u56fdPulse Secure\u516c\u53f8\u7684\u4ea7\u54c1\u3002Pulse Connect Secure\u662f\u4e00\u5957SSL VPN\u89e3\u51b3\u65b9\u6848\u3002Pulse Policy Secure\u662f\u4e00\u5957\u7f51\u7edc\u51c6\u5165\u63a7\u5236\u89e3\u51b3\u65b9\u6848\u3002\n\nPulse Secure PCS 8.3R2\u4e4b\u524d\u76848.3RX\u7248\u672c\u548cPPS 5.4R2\u4e4b\u524d\u76845.4RX\u7248\u672c\u4e2d\u5b58\u5728\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u6b63\u786e\u4f7f\u7528\u76f8\u5173\u5bc6\u7801\u7b97\u6cd5\uff0c\u5bfc\u81f4\u5185\u5bb9\u672a\u6b63\u786e\u52a0\u5bc6\u3001\u5f31\u52a0\u5bc6\u3001\u660e\u6587\u5b58\u50a8\u654f\u611f\u4fe1\u606f\u7b49\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://www.pulsesecure.net/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-21825",
  "openTime": "2020-04-08",
  "patchDescription": "Pulse Secure Pulse Connect Secure\uff08\u53c8\u540dPCS\uff0c\u524d\u79f0Juniper Junos Pulse\uff09\u548cPulse Policy Secure\u90fd\u662f\u7f8e\u56fdPulse Secure\u516c\u53f8\u7684\u4ea7\u54c1\u3002Pulse Connect Secure\u662f\u4e00\u5957SSL VPN\u89e3\u51b3\u65b9\u6848\u3002Pulse Policy Secure\u662f\u4e00\u5957\u7f51\u7edc\u51c6\u5165\u63a7\u5236\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nPulse Secure PCS 8.3R2\u4e4b\u524d\u76848.3RX\u7248\u672c\u548cPPS 5.4R2\u4e4b\u524d\u76845.4RX\u7248\u672c\u4e2d\u5b58\u5728\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u6b63\u786e\u4f7f\u7528\u76f8\u5173\u5bc6\u7801\u7b97\u6cd5\uff0c\u5bfc\u81f4\u5185\u5bb9\u672a\u6b63\u786e\u52a0\u5bc6\u3001\u5f31\u52a0\u5bc6\u3001\u660e\u6587\u5b58\u50a8\u654f\u611f\u4fe1\u606f\u7b49\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Pulse Secure Pulse Connect Secure\u548cPulse Policy Secure\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Pulse Secure Pulse Connect Secure 8.3R*\uff0c\u003c8.3R2",
      "Pulse Secure Pulse Policy Secure 5.4R*\uff0c\u003c5.4R2"
    ]
  },
  "referenceLink": "https://www.pulsesecure.net/",
  "serverity": "\u9ad8",
  "submitTime": "2019-07-02",
  "title": "Pulse Secure Pulse Connect Secure\u548cPulse Policy Secure\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2018-20810 (GCVE-0-2018-20810)

Vulnerability from cvelistv5 – Published: 2019-03-16 03:00 – Updated: 2024-09-16 17:07

Summary

Session data between cluster nodes during cluster synchronization is not properly encrypted in Pulse Secure Pulse Connect Secure (PCS) 8.3RX before 8.3R2 and Pulse Policy Secure (PPS) 5.4RX before 5.4R2. This is not applicable to PCS 8.1RX, PPS 5.2RX, or stand-alone devices.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

https://kb.pulsesecure.net/articles/Pulse_Securit…

x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T12:12:28.320Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43877/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Session data between cluster nodes during cluster synchronization is not properly encrypted in Pulse Secure Pulse Connect Secure (PCS) 8.3RX before 8.3R2 and Pulse Policy Secure (PPS) 5.4RX before 5.4R2. This is not applicable to PCS 8.1RX, PPS 5.2RX, or stand-alone devices."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-03-16T03:00:00Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43877/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-20810",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Session data between cluster nodes during cluster synchronization is not properly encrypted in Pulse Secure Pulse Connect Secure (PCS) 8.3RX before 8.3R2 and Pulse Policy Secure (PPS) 5.4RX before 5.4R2. This is not applicable to PCS 8.1RX, PPS 5.2RX, or stand-alone devices."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43877/",
              "refsource": "CONFIRM",
              "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43877/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-20810",
    "datePublished": "2019-03-16T03:00:00Z",
    "dateReserved": "2019-03-15T00:00:00Z",
    "dateUpdated": "2024-09-16T17:07:45.561Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-21825

CVE-2018-20810 (GCVE-0-2018-20810)

Tags

Sightings

Nomenclature