Vulnerability Description
An issue was discovered in Pulse Policy Secure (PPS) and Pulse Connect Secure (PCS) Virtual Appliance before 9.1R8. By manipulating a certain kernel boot parameter, it can be tricked into dropping into a root shell in a pre-install phase where the entire source code of the appliance is available and can be retrieved. (The source code is otherwise inaccessible because the appliance has its hard disks encrypted, and no root shell is available during normal operation.)
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ivanti | Connect Secure | 9.1 |
| Pulsesecure | Pulse Connect Secure | <= 9.0 |
| Ivanti | Policy Secure | 9.1 |
| Pulsesecure | Pulse Policy Secure | <= 9.0 |
References
- https://kb.pulsesecure.net/?atype=saVendor Advisory
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516Vendor Advisory
- https://kb.pulsesecure.net/?atype=saVendor Advisory
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516Vendor Advisory
FAQ
What is CVE-2020-12880?
CVE-2020-12880 is a vulnerability with a CVSS score of 5.5 (MEDIUM). An issue was discovered in Pulse Policy Secure (PPS) and Pulse Connect Secure (PCS) Virtual Appliance before 9.1R8. By manipulating a certain kernel boot parameter, it can be tricked into dropping int...
How severe is CVE-2020-12880?
CVE-2020-12880 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-12880?
Check the references section above for vendor advisories and patch information. Affected products include: Ivanti Connect Secure, Pulsesecure Pulse Connect Secure, Ivanti Policy Secure, Pulsesecure Pulse Policy Secure.