Monday, 1 August 2016

On 04:39 by admin   No comments
A vulnerability was found in Pulse Secure Desktop on Windows (the affected version is unknown). It has been classified as critical. Affected is an unknown function. The manipulation with an unknown input leads to a privilege escalation vulnerability. This is going to have an impact on confidentiality, integrity, and availability.
The weakness was disclosed 07/24/2016 by Zhipeng Huo as SA40241 as confirmed security advisory (Website). The advisory is shared for download at kb.pulsesecure.net. This vulnerability is traded as CVE-2016-2408. The exploitability is told to be easy. Local access is required to approach this attack. A single authentication is required for exploitation. The technical details are unknown and an exploit is not available.
Applying the patch 5.0r15.1/5.1r9.1/5.2r4.1 is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the vulnerability database at SecurityTracker (ID 1036474).

CVSSv3

Base Score: 7.8 [?]
Temp Score: 7.5 [?]
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:O/RC:C [?]
Reliability: High

CVSSv2

Base Score: 6.8 (CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C) [?]
Temp Score: 5.9 (CVSS2#E:ND/RL:OF/RC:C) [?]
Reliability: High

VectorComplexityAuthenticationConfidentialityIntegrityAvailability
LocalHighMultipleNoneNoneNone
AdjacentMediumSinglePartialPartialPartial
NetworkLowNoneCompleteCompleteComplete

CPE

Exploiting

Class: Privilege escalation
Local: Yes
Remote: No

0 comments:

Post a comment