The impact of this issue announcement is medium – high. Please act accordingly to rectify the issue, as stated below.
Pulse Secure Client for Windows
What you need to know:
A time-of-check time-of-use vulnerability in PulseSecureService.exe in Pulse Secure Client versions prior to 9.1.6 down to 5.3 R70 for Windows (which runs as NT AUTHORITY/SYSTEM) allows unprivileged users to run a Microsoft Installer executable with elevated privileges.
Actions to be taken:
Install Pulse Secure Client version 9.1r6 or higher.
What is the impact of not doing the actions?
Pulse Secure Client for Windows suffers of a local privilege escalation vulnerability in the “PulseSecureService.exe” service. Exploiting this issue allows an attacker to trick “PulseSecureService.exe” into running an arbitrary Microsoft Installer executable (“.msi”) with SYSTEM privileges, granting them administrative rights.