VULNERABILITY IN PULSE SECURE: PULSE CONNECT SECURE (PCS)
CVE-2021-22893 - 10 (CVSS 3.0)
Sources
Pulse Connect Secure Security Update - Pulse SecureBlog
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784
https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755
Risks
A vulnerability was discovered under Pulse Connect Secure (PCS). This includes an authentication by-pass vulnerability (CVE-2021-22893) that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway.
Description
Threat actors are actively unleashing attacks that attempt to steal encryption keys, passwords and other sensitive data from vulnerable Pulse Secure VPN servers.
An authentication by-pass vulnerability (CVE-2021-22893) in the components Windows File Share Browser and Pulse Secure Collaboration of Pulse Connect Secure may allow an unauthenticated attacker to execute arbitrary code on the target system.
Mitigations
Pulse Secure recommends disabling the two affected components on existing PCS instances:
- Windows File Share Browser
- Pulse Secure Collaboration
Pulse Secure has published a Workaround-2104.xml (Download Center at https://my.pulsesecure.net) file that contains mitigations to protect against this vulnerability. As outlined in the Pulse Secure advisory, be sure that the Windows File Share Browser feature is disabled after importing the XML workaround.
Recommended Actions
CERT.be recommends all system administrators to upgrade their vulnerable Pulse Secure instances to version 9.1R11.4 minimum once available. Meanwhile, you can use The Pulse Security Integrity Checker Tool to see if you have been compromised.
References
https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actor...
https://www.bleepingcomputer.com/news/security/pulse-secure-vpn-zero-day...