An issue exists in Pulse Policy Secure (PPS) and Pulse Connect Secure (PCS) Virtual Appliance prior to 9.1R8. By manipulating a certain kernel boot parameter, it can be tricked into dropping into a root shell in a pre-install phase where the entire source code of the appliance is available and can be retrieved. (The source code is otherwise inaccessible because the appliance has its hard disks encrypted, and no root shell is available during normal operation.)
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
pulsesecure pulse connect secure |
||
ivanti connect secure 9.1 |
||
pulsesecure pulse policy secure |
||
ivanti policy secure 9.1 |