Headline
CVE-2022-21826: Public KB - SA45476 - Client Side Desync Attack (Informational)
Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the request’s Content-Length header and leaves the POST body on the TCP/TLS socket. This body ends up prefixing the next HTTP request sent down that connection, this means when someone loads website attacker may be able to make browser issue a POST to the application, enabling XSS.
Related Articles
Information
Product Affected
Pulse Connect Secure 9.1R15 and below.
Problem
Portswigger has provided a responsible disclosure of a vulnerability that affects the Pulse Collaboration feature. Their write up can be found here: https://portswigger.net/research/browser-powered-desync-attacks
Ivanti has also requested CVE-2022-21826.
The type of attack in this instance is a Client-Side Desync (CSD) Attack that requires an authenticated user and requires full control over an authenticated session. This is possible between a client machine and the VPN (Pulse Connect Secure) server.
Solution
To immediately remediate this issue, upgrade the Pulse Connect Secure server to 9.1R16 or above. The Pulse Collaboration feature that is the target of this attack is not available in this release or any releases post 9.1R16.
Please refer to KB45487 for further information.
CVSS Score
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Score 3.7 (Low)