www.belgium.be Logo of the federal government

Pulse Connect Secure Buffer Overflow Vulnerability

Reference: 
Advisory #2021-010
Version: 
1.0
Affected software: 
Pulse Connect Secure 9.0Rx
Pulse Connect Secure 9.1Rx
Type: 
Buffer Overflow
CVE/CVSS: 

CVE-2021-22908 - CVSS:8.5

Date: 
26/05/2021

Sources

Pulse Security Advisory: SA44800 - 2021-05: Out-of-Cycle Advisory: Pulse Connect Secure Buffer Overflow Vulnerability (pulsesecure.net)

Risks

A remote authenticated attacker with privileges to browse SMB shares can use this vulnerability to execute arbitrary code with root user privileges.

Recommended Actions

CERT.be recommends all system administrators to upgrade their vulnerable Pulse Secure instances to version 9.1R11.5 minimum once available.

There is currently a workaround available, you can find the procedure on the vendor's website: Pulse Security Advisory: SA44800 - 2021-05: Out-of-Cycle Advisory: Pulse Connect Secure Buffer Overflow Vulnerability (pulsesecure.net)