Background
On April 20,2021 Ivanti, the parent company of Pulse Secure, released Pulse Connect Secure version 9.1R11.4 to address the zero-day vulnerability CVE-2021-22893, among 3 other new vulnerabilities.
CVE ID |
CVSS Score V3 |
CVSS Criticality |
Type |
Description |
CVE-2021-22893 |
10.0 |
Critical |
Remote Arbitrary Code Execution |
Multiple use after free in Pulse Connect Secure before 9.1R11.4 allows a remote unauthenticated attacker to execute arbitrary code via license services. |
CVE-2021-22894 |
9.9 |
Critical |
Buffer Overflow |
Buffer overflow in Pulse Connect Secure Collaboration Suite before 9.1R11.4 allows remote authenticated users to execute arbitrary code as the root user via maliciously crafted meeting room. |
CVE-2021-22899 |
9.9 |
Critical |
Command Injection |
Command Injection in Pulse Connect Secure before 9.1R11.4 allows remote authenticated users to perform remote code execution via Windows File Resource Profiles. |
CVE-2021-22900 |
7.2 |
High |
Code Injection |
Multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 allow an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface. |
Analysis
CVE-2021-22893
Vulnerability to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway.
CVE-2021-22894 | CVE-2021-22899 | CVE-2021-22900
All three are post-authentication vulnerabilities. These do not appear to be additional zero-days, but are additional vulnerabilities added into the patch that addresses CVE-2021-22893.
Solutions and Recommendations
The advisory with details on updating to the newest released can be found here.
Arctic Wolf strongly recommends that you apply this update for any Pulse Connect Secure VPN appliances in your network as soon as possible to fully mitigate the zero-day vulnerability that is known to have been used in attacks in the wild.
There are three important items to note about this latest release:
- This release is only for the Pulse Connect Secure VPN appliances themselves, not the Pulse Secure VPN clients. The zero-day vulnerability that was exploited in the wild was done so against the Pulse Connect Secure Servers themselves.
- Ivanti has stated there is a known cert issue for browser clients if upgrading from any version below 9.1R8. The knowledge base (KB) for this known issue can be found here.
- If you previously applied the workaround provided by Ivanti for the zero-day vulnerability to your Pulse Connect Secure VPN appliance, you will need to remove it after applying the 9.1R11.4 update. Details on how to do this can be found in the “Workaround” section of this advisory here.
References
- (Workaround) SA44784 - 2021-04 - Out-of-Cycle Advisory: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4
- KB44781 - Multiple functionalities/features fail for End-Users with a Certificate error
Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.