CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
99.5%
Pulse Connect Secure (PCS) gateway contains a use-after-free vulnerability that can allow an unauthenticated remote attacker to execute arbitrary code.
CVE-2021-22893
A use-after-free vulnerability that can be reached via a license server handling endpoint may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable Pulse Connect Secure gateway system.
Every system that is running PCS 9.0R3 or higher or 9.1R1 through 9.2R11.3 is affected. Having the license server configuration enabled is NOT a prerequisite to being vulnerable. The vulnerable endpoints are present regardless of whether the system is an actual license server or not.
This vulnerability is being exploited in the wild.
By making a crafted request to a vulnerable Pulse Connect Secure system, an unauthenticated remote attacker may be able to execute arbitrary code on the gateway with root privileges.
This vulnerability and others are addressed in Pulse Connect Secure 9.1R11.4.
If you are not using the features that the following workaround disables, we recommend applying the XML workaround even on systems that have been upgraded to 9.1R11.4 to reduce attack surface. Pulse Secure has published a Workaround-2104.xml file that contains mitigations to protect against this and other vulnerabilities. Importing this XML workaround will activate the protections immediately and does not require any downtime for the VPN system. This workaround will block requests that match the following URI patterns:
^/+dana/+meeting
^/+dana/+fb/+smb
^/+dana-cached/+fb/+smb
^/+dana-ws/+namedusers
^/+dana-ws/+metric
Note that installing this workaround will block the ability to use the following features:
Instead of using the workaround to protect a PCS that is being used as a license server, we recommend updating such systems to PCS 9.1R11.4. If this is not possible, restrict which IP addresses are allowed to communicate with the system.
A PCS administrator should run the PCS Integrity Assurance utility to help determine if a system has evidence that it has been compromised. Please be aware of two limitations of this tool:
By default, PCS devices do not log unauthenticated web requests. Additionally, the administrative interface for a PCS device will warn that: Selecting this can quickly fill up User access log space in case of attack.
Because this vulnerability is exploitable via an unauthenticated request to the PCS, evidence of exploitation may only be present if the βUnauthenticated Requestsβ logging option is enabled. Enable this feature in the PCS administrative web interface by visiting: System -> Log/Monitoring -> User Access -> Settings and enabling the βUnauthenticated Requestsβ option.
Attackers who have compromised a PCS device may delete on-device logs in the process. For this reason, configure a remote Syslog server to ensure that PCS log entries are not modified or deleted.
This vulnerability was publicly reported by Pulse Secure with additional details and context published by Fireye.
This document was written by Chuck Yarbrough and Will Dormann.
213092
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Updated: 2021-04-20
Statement Date: April 20, 2021
CVE-2021-22893 | Affected |
---|
We have not received a statement from the vendor.
CVE IDs: | CVE-2021-22893 |
---|---|
Date Public: | 2021-04-20 Date First Published: |
blog.pulsesecure.net/pulse-connect-secure-security-update/
kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/
www.bleepingcomputer.com/news/security/pulse-secure-vpn-zero-day-used-to-hack-defense-firms-govt-orgs/
www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
99.5%