Notre sélection d'alertes et avis SSI.
Sources : US Cert, Cert EU, Cert FR, Cnil, VulDB.

mardi 20 avril 2021

VU#213092: Pulse Connect Secure vulnerable to authentication bypass that could allow for remote code execution

Overview

Pulse Connect Secure (PCS) gateway contains a vulnerability that can allow an unauthenticated remote attacker to execute arbitrary code.

Description

CVE-2021-22893

An unspecified vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable Pulse Connect Secure gateway system. Products affected by this vulnerability are PCS version 9.0R3 and higher.

This vulnerability is being exploited in the wild.

Impact

By making a crafted request to a vulnerable Pulse Connect Secure system, an unauthenticated remote attacker may be able to execute arbitrary code on the gateway.

Pulse Secure has assigned this vulnerability a critical CVSS Score of 10.0 3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Solution

While there is currently no patch for this vulnerability, Pulse Secure recommends upgrading to PCS Server version 9.1R.11.4 when it becomes available. In the meantime, Pulse Secure recommends disabling the two affected feature sets on existing PCS instances:

  • Windows File Share Browser
  • Pulse Secure Collaboration

Pulse Secure has published a Workaround-2104.xml file that reportedly contains mitigations to protect against this vulnerability. As outlined in the Pulse Secure advisory, be sure that the Windows File Share Browser feature is disabled after importing the XML workaround.

Acknowledgements

This vulnerability was publicly reported by Pulse Secure with additional details and context published by Fireye.

This document was written by Chuck Yarbrough.

Vendor Information

One or more vendors are listed for this advisory. Please reference the full report for more information.

Other Information

Date Public: 2021-04-20
Date First Published: 2021-04-20
Date Last Updated: 2021-04-20 21:52 UTC
Document Revision: 1

Lien vers l'article source

Auteur: US Cert

Catégories: CertUSNombre de vues: 57

x

Événements SSI