#Pulse secure zip file
Upload the Duo Juniper package zip file downloaded from the Duo Admin Panel earlier. Navigate to Authentication → Signing In → Sign-in Pages, click Upload Custom Pages., and fill in the form: Field
![pulse secure pulse secure](https://www.tangerine.co.th/wp-content/uploads/2020/03/Pulse-work.png)
![pulse secure pulse secure](https://cdnc.c3dt.com/preview/1119317-net.pulsesecure.pulsesecure.jpg)
#Pulse secure download
Download the DigiCert SHA2 High Assurance Server CA certificate from the DigiCert site for installation on your device.You will need to upload this to your Pulse SSL VPN. This file is customized for your account and has your Duo account ID appended to the file name (after the version). Download the Duo Juniper 8.x package zip file for your device's firmware version from the Duo Admin Panel (even for Pulse v9.x devices).See Protecting Applications for more information about protecting applications in Duo and additional application options. You'll need this information to complete your setup. Click Protect to the far-right to configure the application and get your integration key, secret key, and API hostname. Log in to the Duo Admin Panel and navigate to Applications.Ĭlick Protect an Application and locate the entry for Juniper SSL VPN in the applications list.You should also have a working primary authentication configuration for your SSL VPN users, e.g.
![pulse secure pulse secure](https://i2.wp.com/securityaffairs.co/wordpress/wp-content/uploads/2021/04/Pulse-Secure-VPN.png)
Log on to your Pulse administrator interface and verify that your firmware is version 8.3, 9.0, or later. Make sure that Duo is compatible with your Pulse Secure Access SSL VPN.
#Pulse secure how to
"Therefore, by simply modifying the original CVE-2020-8260 exploit to change the archive type to 'profiler', the patch can be bypassed, and code execution achieved.Before moving on to the deployment steps, it's a good idea to familiarize yourself with Duo administration concepts and features like options for applications, available methods for enrolling Duo users, and Duo policy settings and how to apply them. "Whilst this issue was patched by adding validation to extracted files, this validation does not apply to archives with the 'profiler' type," Warren said. While further checks were added to validate the TAR file to prevent exploitation of CVE-2020-8260, additional variant and patch analysis revealed that it's possible to exploit the same extraction vulnerability in the part of the source code that handles profiler device databases, effectively getting around the mitigations put in place. The vulnerability is due to a flaw in the way that archive files (.TAR) are extracted in the administrator web interface.
![pulse secure pulse secure](https://www.khipu-networks.com/wp-content/uploads/PulseSecure_ProductDiagrams_v21.jpg)
"CVE-2021-2293 is a separate vulnerability and is not a bypass of CVE-2020-8260, but is similar in terms of impact and vulnerability type, which is why we assigned a separate CVE," Daniel Spicer, Invanti's vice president of security, said in a statement to The Hacker News. CVE-2020-8260 (CVSS core: 7.2), which concerns an arbitrary code execution flaw using uncontrolled gzip extraction, was remediated in October 2020 with version 9.1R9. Tracked as CVE-2021-22937 (CVSS score: 9.1), the shortcoming could "allow an authenticated administrator to perform a file write via a maliciously crafted archive uploaded in the administrator web interface," according to Pulse Secure.
#Pulse secure update
The disclosure comes days after Ivanti, the company behind Pulse Secure, published an advisory for as many as six security vulnerabilities on August 2, urging customers to move quickly to update to Pulse Connect Secure version 9.1R12 to secure against any exploitation attempts targeting the flaws. "An attacker with such access will be able to circumvent any restrictions enforced via the web application, as well as remount the filesystem, allowing them to create a persistent backdoor, extract and decrypt credentials, compromise VPN clients, or pivot into the internal network," Warren added.