www.belgium.be Logo of the federal government

VULNERABILITY IN PULSE SECURE: PULSE CONNECT SECURE (PCS)

Reference: 
Advisory #2021-007
Version: 
1.0
Affected software: 
Pulse Connect Secure (PCS) version 9.0R3 and higher
Type: 
Authentication by-pass, Remote code execution
CVE/CVSS: 

CVE-2021-22893 - 10 (CVSS 3.0)

Sources

Pulse Connect Secure Security Update - Pulse SecureBlog

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755

Risks

A vulnerability was discovered under Pulse Connect Secure (PCS).  This includes an authentication by-pass vulnerability (CVE-2021-22893) that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway.

Description

Threat actors are actively unleashing attacks that attempt to steal encryption keys, passwords and other sensitive data from vulnerable Pulse Secure VPN servers.

An authentication by-pass vulnerability (CVE-2021-22893) in the components Windows File Share Browser and Pulse Secure Collaboration of Pulse Connect Secure may allow an unauthenticated attacker to execute arbitrary code on the target system.

Mitigations

Pulse Secure recommends disabling the two affected components on existing PCS instances:

  • Windows File Share Browser
  • Pulse Secure Collaboration

Pulse Secure has published a Workaround-2104.xml file that contains mitigations to protect against this vulnerability. As outlined in the Pulse Secure advisory, be sure that the Windows File Share Browser feature is disabled after importing the XML workaround.

Recommended Actions

CERT.be recommends all system administrators to upgrade their vulnerable Pulse Secure instances to version 9.1R11.4 minimum once available. Meanwhile, you can use The Pulse Security Integrity Checker Tool to see if you have been compromised.

References

https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actor...

https://www.bleepingcomputer.com/news/security/pulse-secure-vpn-zero-day...