CVE-2015-5369 : Pulse Connect Secure (aka PCS and formerly Juniper PCS) PSC6000, PCS6500, and MA

Pulse Connect Secure (aka PCS and formerly Juniper PCS) PSC6000, PCS6500, and MAG PSC360 8.1 before 8.1r5, 8.0 before 8.0r13, 7.4 before 7.4r13.5, and 7.1 before 7.1r22.2 and PPS 5.1 before 5.1R5 and 5.0 before 5.0R13, when Hardware Acceleration is enabled, does not properly validate the Finished TLS handshake message, which makes it easier for remote attackers to conduct man-in-the-middle attacks via a crafted Finished message.

Published 2015-08-11 14:59:13

Updated 2015-08-11 18:25:51

Source MITRE

View at NVD, CVE.org

Vulnerability category: Input validation

Products affected by CVE-2015-5369

Juniper » Pulse Connect Secure » Version: 8.1
cpe:2.3:a:juniper:pulse_connect_secure:8.1:*:*:*:*:*:*:*
Matching versions
When used together with: Juniper » Mag Pcs360 » Version: N/A
When used together with: Juniper » Pcs6000 » Version: N/A
When used together with: Juniper » Pcs6500 » Version: N/A
Juniper » Pulse Connect Secure » Version: 7.4
cpe:2.3:a:juniper:pulse_connect_secure:7.4:*:*:*:*:*:*:*
Matching versions
When used together with: Juniper » Mag Pcs360 » Version: N/A
When used together with: Juniper » Pcs6000 » Version: N/A
When used together with: Juniper » Pcs6500 » Version: N/A
Juniper » Pulse Connect Secure » Version: 5.1
cpe:2.3:a:juniper:pulse_connect_secure:5.1:*:*:*:*:*:*:*
Matching versions
When used together with: Juniper » Mag Pcs360 » Version: N/A
When used together with: Juniper » Pcs6000 » Version: N/A
When used together with: Juniper » Pcs6500 » Version: N/A
Juniper » Pulse Connect Secure » Version: 8.0
cpe:2.3:a:juniper:pulse_connect_secure:8.0:*:*:*:*:*:*:*
Matching versions
When used together with: Juniper » Mag Pcs360 » Version: N/A
When used together with: Juniper » Pcs6000 » Version: N/A
When used together with: Juniper » Pcs6500 » Version: N/A
Juniper » Pulse Connect Secure » Version: 7.1
cpe:2.3:a:juniper:pulse_connect_secure:7.1:*:*:*:*:*:*:*
Matching versions
When used together with: Juniper » Mag Pcs360 » Version: N/A
When used together with: Juniper » Pcs6000 » Version: N/A
When used together with: Juniper » Pcs6500 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2015-5369

EPSS FAQ

0.30%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 65 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2015-5369

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2015-5369

CWE-17

Assigned by: nvd@nist.gov (Primary)
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-5369

https://vivaldi.net/en-US/blogs/entry/the-poodle-has-friends

Vivaldi Community

CVEs referencing this url
http://www.securitytracker.com/id/1033166

Juniper Pulse Secure TCP Hardware Acceleration Flaw Lets Remote Users Access Data on the Target System - SecurityTracker
http://kb.juniper.net/InfoCenter/index?page=content&id=TSB16756

Juniper Networks -
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40004

Pulse Security Advisory: SA40004 - [Pulse Secure] TLS connection verification issue (CVE-2015-5369)

Jump to

Vulnerability Details : CVE-2015-5369

Products affected by CVE-2015-5369

Exploit prediction scoring system (EPSS) score for CVE-2015-5369

CVSS scores for CVE-2015-5369

CWE ids for CVE-2015-5369

References for CVE-2015-5369