Vulnerability Title:

Pulse Secure Pulse Connect Secure: CVE-2021-22893: Pulse Connect Secure RCE Vulnerability (SA44784)

Vulnerability Description:

An authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway was discovered.

This vulnerability has a critical CVSS score and poses a significant risk to your deployment.

CVE CVSS Score (V3.1) Summary Product Affected
CVE-2021-22893

10 Critical

3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability in Pulse Connect Secure allows a remote unauthenticated attacker to execute arbitrary code via unspecified vectors PCS 9.0R3 and Higher

Solution:

The solution for these vulnerabilities is to upgrade the Pulse Connect Secure server software version to the 9.1R.11.4. We will update the advisory once the timelines are available.

If the PCS/PPS version is installed: Then deploy this version (or later) to resolve the issue: Expected Release Notes (if any)
Pulse Connect Secure 9.1RX TBD TBD
Pulse Connect Secure 9.0RX TBD TBD

Workaround:

CVE-2021-22893 can be mitigated by importing the Workaround-2104.xml file.

Impact:

XML File disables the following features under PCS appliance.

  • Windows File Share Browser
  • Pulse Secure Collaboration

Note:  XML file is the zipped format, please unzip and then import the XML file.

Pulse Connect Secure – Critical 0-DAY Vulnerability

Customers can download and import the file under the following location:

Go to Maintenance > Import/Export > Import XML. Import the file.

  • This disables the Pulse Collaboration.
  • If there is a load balancer in front of the PCS, this may affect the Load Balancer.
  • If your load balancer is using round robin or using HealthCheck.cgi or advanced healthcheck.cgi, it will not be affected.

Disable the Windows File Browser:

  • Navigate to User > User Role > Click Default Option >> Click on General
  • Under the Access Feature, make sure the “Files, Window” option is not checked.
  • Go to Users > User Roles
  • Click on each role in turn and ensure under the Access Feature of each role, the File, Windows option is not enabled.

NOTE: When you apply the upcoming release fix, please remove the workaround with the following steps:

  • Importing the attached file remove-workaround-2104.xml (found in the same download location as the Workaround-2104.xml Download (Download Center at https://my.pulsesecure.net))
  • Restore the previous settings for “Files, Windows”

This vulnerability is only affecting 9.0r3 and higher (i.e. versions below 9.0r3 are NOT affected), so the XML patch is not required.