Overview
Pulse Connect Secure (PCS) gateway contains a vulnerability that can allow an unauthenticated remote attacker to execute arbitrary code.
Description
CVE-2021-22893
An unspecified vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable Pulse Connect Secure gateway system. Products affected by this vulnerability are PCS version 9.0R3 and higher.
This vulnerability is being exploited in the wild.
Impact
By making a crafted request to a vulnerable Pulse Connect Secure system, an unauthenticated remote attacker may be able to execute arbitrary code on the gateway.
Pulse Secure has assigned this vulnerability a critical CVSS Score of 10.0 3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
Solution
While there is currently no patch for this vulnerability, Pulse Secure recommends upgrading to PCS Server version 9.1R.11.4 when it becomes available. In the meantime, Pulse Secure recommends disabling the two affected feature sets on existing PCS instances:
- Windows File Share Browser
- Pulse Secure Collaboration
Pulse Secure has published a Workaround-2104.xml file that reportedly contains mitigations to protect against this vulnerability. As outlined in the Pulse Secure advisory, be sure that the Windows File Share Browser feature is disabled after importing the XML workaround.
Acknowledgements
This vulnerability was publicly reported by Pulse Secure with additional details and context published by Fireye.
This document was written by Chuck Yarbrough.
Vendor Information
References
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/
- https://blog.pulsesecure.net/pulse-connect-secure-security-update/
- https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
- https://www.bleepingcomputer.com/news/security/pulse-secure-vpn-zero-day-used-to-hack-defense-firms-govt-orgs/
Other Information
| CVE IDs: | CVE-2021-22893 |
| Date Public: | 2021-04-20 |
| Date First Published: | 2021-04-20 |
| Date Last Updated: | 2021-04-21 13:19 UTC |
| Document Revision: | 3 |