Pulse Secure has released an advisory on April 19 about a Critical Zero-day Authentication Bypass vulnerability identified as CVE-2021-22893 in Pulse Connect Secure SSL VPN appliances. The vulnerability allows a remote attacker to bypass authentication and perform remote arbitrary file execution on the Pulse Connect Secure gateway. Pulse Secure has assigned a CVSSv3 score of 10 out of 10, which clearly shows this vulnerability’s criticality and should be patched ASAP.
The vulnerability is reported to be used to target the U.S. government, defense, and financial organizations as well as victims in Europe by the state-sponsored Chinese threat actors. FireEye’s Mandiant security team has linked these attacks to threat groups, namely “UNC2630“ and “UNC2717“. Researchers also believe that at least 12 malware families are associated with the exploitation of Pulse Secure VPN devices.
In addition to the advisory, Pulse Secure also released a blog post with details of other previously disclosed vulnerabilities leveraged by attackers. These include:
-
Pulse Connect Secure Arbitrary File Disclosure Vulnerability
This vulnerability is identified with CVE-2019-11510, which is an arbitrary file reading vulnerability with a CVSSv3 score of 9.9 and is rated as “Critical” severity. This is a pre-authentication flaw, which means an unauthenticated, remote attacker can send a specially crafted URI to exploit the bug. This CVE has been exploited in the wild since August 2019 by various threat actors.
Successful exploitation of the flaw allows an attacker to read files from any arbitrary locations on the underlying appliance.
-
Pulse Connect Secure RCE via Template Injection Vulnerability
This vulnerability is identified with CVE-2020-8243, which is a template injection vulnerability with a CVSSv3 score of 7.2 and is rated as “High” severity. This is a post-authentication flaw, which allows an authenticated attacker to upload the custom template to exploit this vulnerability.
Successful exploitation of the flaw allows an attacker to execute arbitrary code as root on the underlying Operating System.
-
Pulse Connect Secure Uncontrolled Gzip Extraction Vulnerability
This vulnerability is identified with CVE-2020-8260, which is an unrestricted file upload vulnerability with a CVSSv3 score of 7.2 and is rated as “High” severity. This is also a post-authentication flaw, which allows an authenticated attacker to exploit this bug using uncontrolled gzip extraction.
Successful exploitation of the flaw allows an attacker to overwrite arbitrary files, resulting in remote code execution as root.
Affected Products
- Pulse Connect Secure versions 9.0R3 and later.
Impact
- Exploiting this Authentication Bypass vulnerability in Pulse Connect Secure allows a remote unauthenticated attacker to execute arbitrary code via unspecified vectors.
Solution
The vendor has not released any patch as of April 22 but has advised updating the Pulse Connect Secure server software version to the 9.1R.11.4 once available. Pulse Secure has mentioned that the zero-day will be patched in early May.
However, Pulse Secure has released a workaround that can be implemented to mitigate attempts to exploit this zero-day vulnerability. The workaround involves downloading an XML file ‘Workaround-2104.xml‘ available from the vendor and importing it. Complete workaround details can be found here. It is worth noting that mitigation will disable the Windows File Share Browser and Pulse Secure Collaboration features on the appliance.
Also, Pulse Connect Secure users are advised to run a utility provided by Pulse Secure to check the integrity of their software.
With SanerNow, always be secure and get the best defense against such risks.