[Update] Zero-Day Vulnerability in Pulse Connect Secure (PCS)

Published on 21 Apr 2021

Updated on 04 May 2021

This is an update to the alert.

Pulse Secure has updated their security advisory to address three additional vulnerabilities in their Pulse Connect Secure (PCS) SSL VPN appliance.

The vulnerabilities are:

  • CVE-2021-22894 - Buffer overflow vulnerability in PCS Collaboration Suite before version 9.1R11.4 allows a remote authenticated user to execute arbitrary code as the root user via a maliciously-crafted meeting room.
  • CVE-2021-22899 - Command injection vulnerability in PCS before version 9.1R11.4 allows a remote authenticated user to perform remote code execution via Windows File Resource Profiles.
  • CVE-2021-22900 - Multiple unrestricted uploads in PCS before version 9.1R11.4 allows an authenticated administrator to perform a file write via a maliciously-crafted archive upload in the administrator web interface.

The security patch, which is now available, will address the three vulnerabilities in this alert, and the one in the original alert. Affected users who are using versions 9.0RX and 9.1RX are advised to upgrade their PCS server software to version 9.1R.11.4 immediately.

Instructions on how to patch affected software versions can be found in the following link:

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/SA44784/

 

Original alert published on 21 April 2021 below:

Pulse Secure has released a security update to address a critical vulnerability (CVE-2021-22893) in their Pulse Connect Secure SSL VPN appliance. The vulnerability has a maximum Common Vulnerability Scoring System (CVSS) score of 10 out of 10.

Successful exploitation of the vulnerability could allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. The vulnerability affects Pulse Connect Secure (PCS) versions 9.0R3 and higher.

A full patch will not be available until the beginning of May but can be temporarily mitigated by downloading a workaround from Pulse Secure. Affected users are also encouraged to download the PCS Integrity Tool from Pulse Secure to identify any unusual activity on their system. Instructions can be found in the following links: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784 and https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/KB44755/s

More information is available here:
https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
https://www.reuters.com/technology/china-linked-hackers-used-pulse-secure-flaw-target-us-defense-industry-2021-04-20/