Multiple Vulnerabilities in Pulse Secure Products

Published on 06 Aug 2021

Updated on 06 Aug 2021

Pulse Secure has released a security update to address several vulnerabilities in their Pulse Connect Secure (PCS) products.

The vulnerabilities are:

CVE-2021-22937 - This vulnerability could allow an authenticated administrator to perform a file write via a maliciously crafted archive uploaded in the administrator web interface, resulting in Remote Code Execution on the underlying Operating System with root privileges.

CVE-2021-22933 - This vulnerability could allow an authenticated administrator to perform an arbitrary file delete via a maliciously crafted web request. 

CVE-2021-22934 - This vulnerability could allow an authenticated administrator or a compromised Pulse Connect Secure device in a load-balanced configuration to perform a buffer overflow via a maliciously crafted web request.

CVE-2021-22935
- This vulnerability could allow an authenticated administrator to perform a command injection via an unsanitised web parameter. 

CVE-2021-22936
- This vulnerability could allow an attacker to perform a cross-site script attack against an authenticated administrator via an unsanitised web parameter. 

CVE-2021-22938 - This vulnerability could allow an authenticated administrator to perform a command injection via an unsanitised web parameter in the administrator web console. 

All versions prior to PCS 9.1R12 are affected by these vulnerabilities. Administrators are advised to upgrade to the latest version immediately.

More information is available here:
https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/SA44858/s  
https://blog.pulsesecure.net/improved-security-testing-procedures/