Vulnerability Title:
Pulse Secure Pulse Connect Secure: CVE-2021-22893: Pulse Connect Secure RCE Vulnerability (SA44784)
Vulnerability Description:
An authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway was discovered.
This vulnerability has a critical CVSS score and poses a significant risk to your deployment.
| CVE | CVSS Score (V3.1) | Summary | Product Affected |
| CVE-2021-22893 |
10 Critical 3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Vulnerability in Pulse Connect Secure allows a remote unauthenticated attacker to execute arbitrary code via unspecified vectors | PCS 9.0R3 and Higher |
Solution:
The solution for these vulnerabilities is to upgrade the Pulse Connect Secure server software version to the 9.1R.11.4. We will update the advisory once the timelines are available.
| If the PCS/PPS version is installed: | Then deploy this version (or later) to resolve the issue: | Expected Release | Notes (if any) |
| Pulse Connect Secure 9.1RX | TBD | TBD | |
| Pulse Connect Secure 9.0RX | TBD | TBD |
Workaround:
CVE-2021-22893 can be mitigated by importing the Workaround-2104.xml file.
Impact:
XML File disables the following features under PCS appliance.
- Windows File Share Browser
- Pulse Secure Collaboration
Note: XML file is the zipped format, please unzip and then import the XML file.
Customers can download and import the file under the following location:
Go to Maintenance > Import/Export > Import XML. Import the file.
- This disables the Pulse Collaboration.
- If there is a load balancer in front of the PCS, this may affect the Load Balancer.
- If your load balancer is using round robin or using HealthCheck.cgi or advanced healthcheck.cgi, it will not be affected.
Disable the Windows File Browser:
- Navigate to User > User Role > Click Default Option >> Click on General
- Under the Access Feature, make sure the “Files, Window” option is not checked.
- Go to Users > User Roles
- Click on each role in turn and ensure under the Access Feature of each role, the File, Windows option is not enabled.
NOTE: When you apply the upcoming release fix, please remove the workaround with the following steps:
- Importing the attached file remove-workaround-2104.xml (found in the same download location as the Workaround-2104.xml Download (Download Center at https://my.pulsesecure.net))
- Restore the previous settings for “Files, Windows”
This vulnerability is only affecting 9.0r3 and higher (i.e. versions below 9.0r3 are NOT affected), so the XML patch is not required.