search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Pulse Connect Secure contains multiple use-after-free vulnerabilities

Vulnerability Note VU#213092

Original Release Date: 2021-04-20 | Last Revised: 2021-05-06

Overview

Pulse Connect Secure (PCS) gateway contains multiple use-after-free vulnerabilities that can allow an unauthenticated remote attacker to execute arbitrary code.

Description

CVE-2021-22893

Multiple use-after-free vulnerabilities that can be reached via license server handling endpoints may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable Pulse Connect Secure gateway system.

Every system that is running PCS 9.0R3 or higher or 9.1R1 or higher is affected. Having the license server configuration enabled is NOT a prerequisite to being vulnerable. The vulnerable endpoints are present regardless of whether the system is an actual license server or not.

This vulnerability is being exploited in the wild.

Impact

By making a crafted request to a vulnerable Pulse Connect Secure system, an unauthenticated remote attacker may be able to execute arbitrary code on the gateway with root privileges.

Solution

Apply an update

This vulnerability is addressed in Pulse Connect Secure 9.1R11.4.

Apply a workaround

Pulse Secure has published a Workaround-2104.xml file that contains mitigations to protect against this vulnerability. Importing this XML workaround will activate the protections immediately and does not require any downtime for the VPN system. Note that installing this workaround will block the ability to use the following features:

  • Windows File Share Browser
  • Pulse Secure Collaboration
  • License Server

Instead of using the workaround to protect a PCS that is being used as a license server, we recommend updating such systems to PCS 9.1R11.4. If this is not possible, restrict which IP addresses are allowed to communicate with the system.

Acknowledgements

This vulnerability was publicly reported by Pulse Secure with additional details and context published by Fireye.

This document was written by Chuck Yarbrough and Will Dormann.

Vendor Information

213092
 

Other Information

CVE IDs: CVE-2021-22893
Date Public: 2021-04-20
Date First Published: 2021-04-20
Date Last Updated: 2021-05-06 18:02 UTC
Document Revision: 6

Sponsored by CISA.