The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of PulseSecure Connect Secure

vulnerability announce CVE-2014-3823

Junos Pulse SSL VPN: clickjacking

Synthesis of the vulnerability

An attacker can trigger a clickjacking on Junos Pulse SSL VPN, in order to force the victim to perform unwanted operations.
Impacted products: IVE OS, Junos Pulse, MAG Series by Juniper, Juniper SA, Pulse Connect Secure.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 10/09/2014.
Identifiers: CERTFR-2014-AVI-387, CVE-2014-3823, JSA10647, VIGILANCE-VUL-15332.

Description of the vulnerability

The Junos Pulse SSL VPN product offers a web service.

However, it does not use the X-Frame-Options header which forbids to include pages in a frame of another site.

An attacker can therefore trigger a clickjacking on Junos Pulse SSL VPN, in order to force the victim to perform unwanted operations.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2007-5846

Net-SNMP: denial of service via GETBULK

Synthesis of the vulnerability

An attacker can create a denial of service by requesting numerous data with GETBULK.
Impacted products: Debian, Fedora, Mandriva Linux, Mandriva NF, Net-SNMP, openSUSE, Pulse Connect Secure, RHEL, SLES, ESX.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 08/11/2007.
Identifiers: 1712988, BID-26378, CVE-2007-5846, DSA-1483-1, FEDORA-2007-3019, MDKSA-2007:225, RHSA-2007:1045-01, SA43730, SUSE-SR:2007:025, VIGILANCE-VUL-7325, VMSA-2008-0007, VMSA-2008-0007.1, VMSA-2008-0007.2.

Description of the vulnerability

The SNMP protocol defines several query types:
 - SET : change a parameter
 - GET : read a parameter
 - GETNEXT : obtain the next parameter
 - GETBULK : repeat GETNEXT, until a maximum indicated in the query

However, there is no limit on the number of repetitions of GETBULK. An attacker can therefore, with one request, force the SNMP server to obtain and transfer a lot of data.

An attacker can thus create a denial of service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about PulseSecure Connect Secure: