Patch/Configuration Management, Vulnerability Management

Pulse Secure VPN vulnerability can allow MITM attacks

The Software Engineering Institute at Carnegie Mellon University (KB CERT) posted an advisory warning stating the Pulse Secure VPN Linux graphic user interface (GUI) fails to validate SSL certificates leaving them open to man-in-the-middle attacks and recommends downloading a security update.

KB CERT's advisory,for CVE-2018-6374, noted that because the WebKit component of Linux Pulse Secure client GUI is configured to ignore SSL validation errors modifying traffic between a Pulse Secure Linux client GUI and a server. This can let an attacker take actions in the Pulse Secure Linux client GUI when it is connected to an untrusted network possibly allowing the threat actor to make changes to the GUI.

These changes can range from simply changing the welcome message when a VPN connection is established to connecting the user to a malicious server.

KB CERT said issue is addressed in Pulse Secure versions PULSE5.3R4.2 Software (Build 639) and PULSE5.2R9.2 Software (Build 638) and it also suggested not using the Linux client GUI on untrusted networks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.