{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2022-074.pdf" }, "title": "DoS Vulnerabilities in Pulse Secure Products", "serial_number": "2022-074", "publish_date": "28-10-2022 08:25:00", "description": "On October 13, 2022, Ivanti released an advisory regarding two vulnerabilities affecting Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Neurons for Zero-Trust Gateway that could lead to DoS conditions if exploited. It is recommended to upgrade to the latest version of these products.", "url_title": "2022-074", "content_markdown": "---\ntitle: 'DoS Vulnerabilities in\u00a0Pulse\u00a0Secure\u00a0Products'\nversion: '1.0'\nnumber: '2022-074'\noriginal_date: 'October 13, 2022'\ndate: 'October 27, 2022'\n---\n\n_History:_\n\n* _27/10/2022 --- v1.0 -- Initial publication_\n \n# Summary\n\nOn October 13, 2022, Ivanti released an advisory regarding two vulnerabilities affecting Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Neurons for Zero-Trust Gateway that could lead to DoS conditions if exploited [1]. It is recommended to upgrade to the latest version of these products.\n\n# Technical Details\n\nIvanti did not release much technical details about the vulnerabilities, identified by `CVE-2022-35254`, and `CVE-2022-35258`, with CVSS scores of 7.5 out of 10. Nevertheless, the company specified that the vulnerabilities could lead to Denial-of-Service (DoS) conditions if exploited. Based on the CVSS scores, we can guess that the vulnerabilities could be exploited remotely and fairly easily.\n\n# Affected Products\n\n**CVE-2022-35254** and **CVE-2022-35258** affect:\n\n- Ivanti Policy Secure 9.1R16, 22.2R1 and below\n- Ivanti Neurons for Zero-Trust Gateway 22.2R1 and below\n- Ivanti Connect Secure 9.1R16.1, 22.2R1 and below\n\nThe Ivanti Neurons for Secure Access was affected by both vulnerabilities. Ivanti upgraded the hosted controller and completed the upgrade on October 9, 2022. There is no action for customers to take regarding the Ivanti Neurons for Secure Access Controller.\n\n# Recommendations\n\nCERT-EU recommends updating the affected systems to the latest version.\n\n# References\n\n[1] \n", "content_html": "

History:

Summary

On October 13, 2022, Ivanti released an advisory regarding two vulnerabilities affecting Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Neurons for Zero-Trust Gateway that could lead to DoS conditions if exploited [1]. It is recommended to upgrade to the latest version of these products.

Technical Details

Ivanti did not release much technical details about the vulnerabilities, identified by CVE-2022-35254, and CVE-2022-35258, with CVSS scores of 7.5 out of 10. Nevertheless, the company specified that the vulnerabilities could lead to Denial-of-Service (DoS) conditions if exploited. Based on the CVSS scores, we can guess that the vulnerabilities could be exploited remotely and fairly easily.

Affected Products

CVE-2022-35254 and CVE-2022-35258 affect:

The Ivanti Neurons for Secure Access was affected by both vulnerabilities. Ivanti upgraded the hosted controller and completed the upgrade on October 9, 2022. There is no action for customers to take regarding the Ivanti Neurons for Secure Access Controller.

Recommendations

CERT-EU recommends updating the affected systems to the latest version.

References

[1] https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA45520/?kA23Z000000GH5OSAW

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }