CVE-2015-5369 in Pulse Secure
Summary
by MITRE
Pulse Connect Secure (aka PCS and formerly Juniper PCS) PSC6000, PCS6500, and MAG PSC360 8.1 before 8.1r5, 8.0 before 8.0r13, 7.4 before 7.4r13.5, and 7.1 before 7.1r22.2 and PPS 5.1 before 5.1R5 and 5.0 before 5.0R13, when Hardware Acceleration is enabled, does not properly validate the Finished TLS handshake message, which makes it easier for remote attackers to conduct man-in-the-middle attacks via a crafted Finished message.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/07/2022
The vulnerability identified as CVE-2015-5369 affects Pulse Connect Secure appliances including PSC6000, PCS6500, and MAG PSC360 devices along with PPS 5.1 and 5.0 versions. This security flaw resides in the TLS handshake validation mechanism within the hardware acceleration feature, creating a significant weakness that undermines the integrity of secure communications. The vulnerability specifically impacts versions prior to the mentioned patches, making numerous deployments susceptible to exploitation. The affected systems operate under the assumption that the Finished TLS handshake message will be properly validated, but this validation process contains a critical gap that allows malicious actors to manipulate the handshake process.
The technical flaw manifests when hardware acceleration is enabled on these appliances, causing the system to bypass proper validation of the Finished TLS handshake message. This message is a crucial component of the TLS protocol that serves to verify that both parties have correctly processed the handshake and agree on the shared secrets. The vulnerability stems from insufficient cryptographic validation where the appliance fails to properly verify the integrity of this message, creating an opportunity for attackers to inject malicious data during the handshake process. This weakness is categorized as a cryptographic weakness under CWE-310 and represents a failure in proper authentication and key exchange validation processes. The flaw enables attackers to perform man-in-the-middle attacks by crafting specially designed Finished messages that can bypass the system's security checks.
The operational impact of this vulnerability is severe as it allows remote attackers to establish fraudulent connections without proper authentication, potentially leading to complete network compromise. Attackers can intercept, modify, or redirect encrypted traffic passing through these vulnerable appliances, undermining the confidentiality and integrity guarantees that TLS is designed to provide. The vulnerability affects the fundamental security model of the appliances, making them susceptible to attacks that could compromise user credentials, sensitive data transfers, and overall network security posture. Organizations using these appliances in critical infrastructure or enterprise environments face significant risk of unauthorized access and data breaches. The attack vector requires only remote access to the network, making exploitation relatively straightforward and increasing the attack surface significantly.
Mitigation strategies for this vulnerability involve applying the vendor-provided patches and updates that address the TLS handshake validation issue. Organizations should immediately upgrade to the patched versions mentioned in the advisory, specifically versions 8.1r5, 8.0r13, 7.4r13.5, 7.1r22.2, 5.1R5, and 5.0R13. Disabling hardware acceleration on affected appliances provides a temporary workaround while patches are deployed, though this may impact performance. Network segmentation and monitoring should be implemented to detect anomalous TLS handshake behavior that might indicate exploitation attempts. The vulnerability aligns with ATT&CK technique T1573.002 for secure communications protocols and represents a critical failure in the authentication and key exchange phase of network security implementations. Security teams should conduct comprehensive vulnerability assessments to identify all affected devices and implement proper patch management processes to prevent similar issues in the future.