CVE-2020-11580: 
Ivanti Connect Secure vulnerability analysis and mitigation

An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, accepts an arbitrary SSL certificate. The Host Checker is a client-side component that the Pulse Connect Secure appliance may require for VPN connection, performing basic checks on the client according to server policies (Git LSD).

The vulnerability stems from the Host Checker's implementation of a custom protocol for server communication. The client does not validate server certificates or hostnames, likely implemented to support misconfigured instances. This is evidenced in the HttpNAR class where trustAllCerts() and allowHostnameMismatch() functions are executed when initializing the connection to a server. The code implements a TrustManager that accepts all certificates without validation (Git LSD).

The vulnerability allows attackers in a position to perform a Man-in-the-Middle attack to spoof the server and potentially execute arbitrary commands on the client system. This is particularly concerning as the Host Checker is a required component for VPN connections in many deployments (Git LSD).

The vulnerability was addressed in subsequent versions of Pulse Connect Secure. Organizations should ensure they are running a patched version of the software. The fix likely includes proper certificate validation in the Host Checker component (Git LSD).