Junos Pulse Secure Meeting 8.0.5 Access Bypass Vulnerability

🗓️ 26 Sep 2015 00:00:00Reported by Profundis LabsType

zdt🔗 0day.today👁 60 Views

Junos Pulse Secure Meeting 8.0.5 Access Bypass Vulnerability allows authenticated users to bypass meeting authorization, gaining access to meetings using specific sessionID and meeting ID. Attackers can access without a password or invitation link using java fat client. Vendor patched in 06/2015

Reporter	Title	Published	Views	Family All 15
CNVD	Pulse Connect Secure Secure Meeting Component Access Control Vulnerability	3 Oct 201500:00	–	cnvd
CNVD	Pulse Connect Secure Legitimate Conference ID Number Disclosure Vulnerability	3 Oct 201500:00	–	cnvd
CVE	CVE-2015-7322	5 Oct 201515:00	–	cve
CVE	CVE-2015-7323	5 Oct 201515:00	–	cve
Cvelist	CVE-2015-7322	5 Oct 201515:00	–	cvelist
Cvelist	CVE-2015-7323	5 Oct 201515:00	–	cvelist
EUVD	EUVD-2015-7247	7 Oct 202500:30	–	euvd
EUVD	EUVD-2015-7248	7 Oct 202500:30	–	euvd
Ivanti	SA40054 - 2015-09: Security Advisory: Secure Meeting (Pulse Collaboration) issue may allow authenticated users to bypass meeting authorization (CVE-2015-7323)	14 Feb 202307:22	–	ivanti
Ivanti	SA40053 - 2015-09: Security Advisory: Secure Meeting (Pulse Collaboration) information disclosure vulnerability (CVE-2015-7322)	14 Feb 202307:22	–	ivanti

Vulnerablity Title
==================
Secure Meeting (Pulse Collaboration) issue may allow authenticated users to bypass meeting authorization (CVE-2015-7323)

Vendor:
=======================================
Pulse Secure, LLC (www.pulsesecure.net) 

Product:
================================
Junos Pulse Secure Meeting

Secure Meeting is a part of the Junos Puls Collaboration software, which allows you to organize and holding virtual meetings with internal and external users via the Juniper Access Gateway.

Vulnerability Type:
===================
Insufficient Authorization Checks

CVE Reference:
==============
CVE-2015-7323

VENDOR Reference:
=================
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40054

Vulnerability Details:
=====================

It is possible to enter "secure" meetings without knowledge of the password and the invitation link using the java fat client (meetingAppSun.jar). 

To access such meetings the following information is required:
- A valid sessionID (DSID)
  This sessionID can be obtained by either having an invitation link to any other meeting or the user has a valid account to log into junos pulse using the http login form.
- The meeting ID
  The meeting ID is a 7-8 digits number which may be gained using brute force or via CVE-2015-7322 (https://profundis-labs.com/advisories/CVE-2015-7323.txt)

Note: The vulnerability is only related to the java fat client. If a user tries to access a secure meeting using the web browser (https://domain/dana-na/meeting/login_meeting.cgi?mid=PARAM_A&occurrence=0), the meeting password (or invitation link) is required.  

PoC code(s):
===============

Example how to start the java fat client to access a meeting A from the command line:
java -classpath /usr/lib/jvm/java-7-oracle/jre/lib/plugin.jar:~/.juniper_networks/meetingAppSun.jar SecureMeetingApplication ivehost PARAM_D locale de log_level 1 meeting_type 0 Parameter0 "meeting_id=PARAM_A;user_name=xxx;cert_md5=PARAM_B;ncp_read_timeout=90;password=;meeting_url=;mobile_meeting_url=" uploadlog 1 home_dir "/home/..." user_agent "Mozilla/5.0" neoteris-dsid "DSID=PARAM_C"

PARAM_A = meeting ID of Meeting A
PARAM_B = md5 hash of the SSL-certifificate of Junos Pulse server
PARAM_C = a valid sessionID
PARAM_D = the domain/IP of the Junos Pulse server
  
Disclosure Timeline:
=========================================================

Vendor Notification:  01/2015
Vendor Confirmation:  03/2015
Vendor Patch Release: 06/2015 
Public Disclosure:    09/2015

Affected Version:
=========================================================
8.0.5

#  0day.today [2018-03-19]  #

26 Sep 2015 00:00Current

6.6Medium risk

Vulners AI Score6.6

EPSS0.00369