You are currently viewing Pulse Connect Secure Zero-Day Vulnerability Under Active Exploitation (CVE-2021-22893)

Pulse Connect Secure Zero-Day Vulnerability Under Active Exploitation (CVE-2021-22893)

  • Post author:
  • Reading time:4 mins read

Pulse Secure released an advisory on April 19 about a Critical Zero-day Authentication Bypass vulnerability identified as CVE-2021-22893 in Pulse Connect Secure SSL VPN appliances. The vulnerability allows a remote attacker to bypass authentication and perform remote arbitrary file execution on the Pulse Connect Secure gateway. Pulse Secure has assigned a CVSSv3 score of 10 out of 10. This clearly shows this vulnerability’s criticality and should be patched ASAP. A good vulnerability management tool can prevent these attacks.

The vulnerability is reported to be used to target the U.S. government, defense, and financial organizations. As well as victims in Europe by the state-sponsored Chinese threat actors.  FireEye’s Mandiant security team has linked these attacks to threat groups, namely UNC2630“ and “UNC2717“. Researchers also believe that at least 12 malware families are associated with exploiting Pulse Secure VPN devices. The vulnerability management software can prevent this exploitation.

In addition to the advisory, Pulse Secure also released a blog post detailing other previously disclosed vulnerabilities leveraged by attackers. These include:

  • Pulse Connect Secure Arbitrary File Disclosure Vulnerability

This vulnerability is identifying with CVE-2019-11510, an arbitrary file reading vulnerability with a CVSSv3 score of 9.9. And rated as “Critical” severity. This is a pre-authentication flaw, which means an unauthenticated, remote attacker can send a specially crafted URI to exploit the bug. Various threat actors have exploited This CVE in the wild since August 2019.

Successful exploitation of the flaw allows an attacker to read files from any arbitrary locations on the underlying appliance.

  • Pulse Connect Secure RCE via Template Injection Vulnerability

This vulnerability is identifying with CVE-2020-8243, a template injection vulnerability with a CVSSv3 score of 7.2 and rated as “High” severity.  This post-authentication flaw allows an authenticated attacker to upload the custom template to exploit this vulnerability.

Successful exploitation of the flaw allows an attacker to execute arbitrary code as root on the underlying Operating System.

  • Pulse Connect Secure Uncontrolled Gzip Extraction Vulnerability

This vulnerability is identifying with CVE-2020-8260, an unrestricted file upload vulnerability with a CVSSv3 score of 7.2 and rated as “High” severity.  This is also a post-authentication flaw, which allows an authenticated attacker to exploit this bug using uncontrolled gzip extraction.

Successful exploitation of the flaw allows an attacker to overwrite arbitrary files, resulting in remote code execution as root.


Affected Products via CVE-2021-22893

  • Pulse Connect Secure versions 9.0R3 and later.

Impact of CVE-2021-22893

  • Exploiting this Authentication Bypass vulnerability in Pulse Connect Secure allows a remote unauthenticated attacker to execute arbitrary code via unspecified vectors.

Solution for CVE-2021-22893

The vendor has not released any patch since April 22 but has advised updating the Pulse Connect Secure server software version to 9.1R.11.4 once available. Pulse Secure mentions that the zero-day patched in early May.

However, Pulse Secure released a workaround that can implement to mitigate attempts to exploit this zero-day vulnerability. The workaround involves downloading and importing an XML file, ‘Workaround-2104.xml,’ from the vendor. Complete workaround details are present here. It is worth noting that mitigation will disable the Windows File Share Browser and Pulse Secure Collaboration features on the appliance.

Also, Pulse Connect Secure users are advising to run a utility provided by Pulse Secure. To check the integrity of their software.

With SanerNow, always be secure and get the best defense against such risks.

Share this article