CVE-2021-22893:Authentication bypass vulnerability in Pulse Connect Secure allows unauthenticated remote code execution.

splash
Back

Description Preview

A critical authentication bypass vulnerability (CVE-2021-22893) affects Pulse Connect Secure versions 9.0R3/9.1R1 and higher. The vulnerability exists in the Windows File Share Browser and Pulse Secure Collaboration features, allowing unauthenticated attackers to bypass authentication and execute arbitrary code on vulnerable Pulse Connect Secure gateways. This vulnerability has been actively exploited in the wild by suspected APT actors. The issue is classified as CWE-416 (Use After Free) and represents a severe security risk for organizations using affected Pulse Connect Secure VPN appliances.

Overview

CVE-2021-22893 is a critical authentication bypass vulnerability in Pulse Connect Secure VPN appliances that allows unauthenticated remote code execution. The vulnerability affects the Windows File Share Browser and Pulse Secure Collaboration features in Pulse Connect Secure versions 9.0R3/9.1R1 and higher. This zero-day vulnerability has been actively exploited in the wild by suspected APT (Advanced Persistent Threat) actors to compromise networks. FireEye has documented exploitation attempts against defense, government, and financial organizations. The vulnerability allows attackers to bypass authentication controls and execute arbitrary code on the VPN appliance, potentially gaining complete control over the system and access to the internal network. As a Use After Free (CWE-416) vulnerability, it involves the incorrect use of memory after it has been freed, which can lead to the execution of arbitrary code.

Remediation

Organizations using affected Pulse Connect Secure versions should immediately:

  1. Apply the security update provided by Pulse Secure to patch the vulnerability.
  2. Follow the guidance in Pulse Secure Security Advisory SA44784.
  3. Run the Pulse Connect Secure Integrity Tool to check for signs of compromise.
  4. If compromise is detected, follow the incident response procedures outlined in the vendor advisory.
  5. Consider implementing additional network segmentation to isolate VPN infrastructure.
  6. Monitor for suspicious activity related to VPN access.
  7. Implement multi-factor authentication if not already in use.
  8. Review and update access control policies for VPN users.
  9. Consider temporarily disabling the Windows File Share Browser and Pulse Secure Collaboration features until patching is complete.
  10. Follow the specific mitigation guidance provided by US-CERT in VU#213092.

References

  1. Pulse Secure Security Advisory: https://blog.pulsesecure.net/pulse-connect-secure-security-update/
  2. US-CERT Vulnerability Note: https://kb.cert.org/vuls/id/213092
  3. FireEye Threat Research: https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
  4. Pulse Secure Security Advisory SA44784 (Note: Link may be broken, check vendor website for updated information)
  5. Common Weakness Enumeration: CWE-416 (Use After Free)

Early Warning

Armis Early Warning customers received an advanced alert on this vulnerability.

Armis Alert Date
May 14, 2021
CISA KEV Date
Nov 3, 2021
173days early
Learn More

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing
    Manufacturing
  2. Accommodation & Food Services
    Accommodation & Food Services
  3. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  4. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  5. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  6. Construction
    Construction
  7. Educational Services
    Educational Services
  8. Finance and Insurance
    Finance and Insurance
  9. Health Care & Social Assistance
    Health Care & Social Assistance
  10. Information
    Information
  11. Management of Companies & Enterprises
    Management of Companies & Enterprises
  12. Mining
    Mining
  13. Other Services (except Public Administration)
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  15. Public Administration
    Public Administration
  16. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  17. Retail Trade
    Retail Trade
  18. Transportation & Warehousing
    Transportation & Warehousing
  19. Utilities
    Utilities
  20. Wholesale Trade
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background
Armis Vulnerability Intelligence Database