Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormProfundis LabsPACKETSTORM:133711
HistorySep 25, 2015 - 12:00 a.m.

Junos Pulse Secure Meeting 8.0.5 Access Bypass

2015-09-2500:00:00
Profundis Labs
packetstormsecurity.com
37

0.004 Low

EPSS

Percentile

74.2%

JSON
`Profundis Labs Security Advisory  
https://profundis-labs.com/advisories/CVE-2015-7323.txt  
  
Product:  
================================  
Junos Pulse Secure Meeting  
  
Secure Meeting is a part of the Junos Puls Collaboration software, which  
allows you to organize and holding virtual meetings with internal and  
external users via the Juniper Access Gateway.  
  
Vulnerability Type:  
===================  
Insufficient Authorization Checks  
  
CVE Reference:  
==============  
CVE-2015-7323  
  
VENDOR Reference:  
=================  
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40054  
  
Vulnerability Details:  
=====================  
  
It is possible to enter "secure" meetings without knowledge of the password  
and the invitation link using the java fat client (meetingAppSun.jar).  
  
To access such meetings the following information is required: - A valid  
sessionID (DSID). This sessionID can be obtained by either having an  
invitation link to any other meeting or the user has a valid account to log  
into junos pulse using the http login form. - The meeting ID The meeting ID  
is a 7-8 digits number which may be gained using brute force or via  
CVE-2015-7322 (https://profundis-labs.com/advisories/CVE-2015-7322.txt)  
  
Note: The vulnerability is only related to the java fat client. If a user  
tries to access a secure meeting using the web browser (  
https://domain/dana-na/meeting/login_meeting.cgi?mid=PARAM_A&occurrence=0),  
the meeting password (or invitation link) is required.  
  
PoC code(s):  
===============  
Example how to start the java fat client to access a meeting A from the  
command line:  
java -classpath  
/usr/lib/jvm/java-7-oracle/jre/lib/plugin.jar:~/.juniper_networks/meetingAppSun.jar  
SecureMeetingApplication ivehost PARAM_D locale de log_level 1 meeting_type  
0 Parameter0  
"meeting_id=PARAM_A;user_name=xxx;cert_md5=PARAM_B;ncp_read_timeout=90;password=;meeting_url=;mobile_meeting_url="  
uploadlog 1 home_dir "/home/..." user_agent "Mozilla/5.0" neoteris-dsid  
"DSID=PARAM_C"  
  
PARAM_A = meeting ID of Meeting A  
PARAM_B = md5 hash of the SSL-certifificate of Junos Pulse server  
PARAM_C = a valid sessionID  
PARAM_D = the domain/IP of the Junos Pulse server  
  
Disclosure Timeline:  
=========================================================  
  
Vendor Notification: 01/2015  
Vendor Confirmation: 03/2015  
Vendor Patch Release: 06/2015  
Public Disclosure: 09/2015  
  
Affected Version:  
=========================================================  
8.0.5  
  
Exploitation Technique:  
=======================  
Remote  
  
Severity Level:  
=========================================================  
CVSS Score: 5.0 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)  
  
  
`

Related

cvelist 2
nvd 2
zdt 1
cve 2
prion 2
cvelist
cvelist
CVE-2015-7322
2015-10-05 15:00:00
CVE-2015-7323
2015-10-05 15:00:00
nvd
nvd
CVE-2015-7323
2015-10-05 15:59:01
CVE-2015-7322
2015-10-05 15:59:00
zdt
zdt
Junos Pulse Secure Meeting 8.0.5 Access Bypass Vulnerability
2015-09-26 00:00:00
cve
cve
CVE-2015-7323
2015-10-05 15:59:01
CVE-2015-7322
2015-10-05 15:59:00
prion
prion
Design/Logic Flaw
2015-10-05 15:59:00
Code injection
2015-10-05 15:59:00

0.004 Low

EPSS

Percentile

74.2%

JSON
Related for PACKETSTORM:133711
cvelist2nvd2zdt1cve2prion2