CVE-2021-22894: Public KB - SA44784 - 2021-04: Out-of-Cycle Advisory: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4

Related Articles

Product Affected

Pulse Connect Secure

Problem

Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. Many of these vulnerabilities have a critical CVSS score and pose a significant risk to your deployment.

Refer to KB43892 - What releases will Pulse Secure apply fixes to resolve security vulnerabilities? for our End of Engineering (EOE) and End of Life (EOL) policies.

The table below provides details of the vulnerability:

CVE

CVSS Score (V3.1)

Summary

Product Affected

CVE-2021-22893

10 Critical
3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Multiple use after free in Pulse Connect Secure before 9.1R11.4 allows a remote unauthenticated attacker to execute arbitrary code via license services.

PCS 9.0R3/9.1R1 and Higher

CVE-2021-22894

9.9 Critical CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Buffer overflow in Pulse Connect Secure Collaboration Suite before 9.1R11.4 allows a remote authenticated users to execute arbitrary code as the root user via maliciously crafted meeting room.

PCS:
9.1Rx
9.0Rx

CVE-2021-22899

9.9 Critical CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Command Injection in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated users to perform remote code execution via Windows File Resource Profiles.

PCS:
9.1Rx
9.0Rx

CVE-2021-22900

7.2 High
3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 allow an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.

PCS:
9.1Rx
9.0Rx

Solution

The solution for these vulnerabilities is to upgrade the Pulse Connect Secure server software version to the 9.1R.11.4.

IMPORTANT NOTE: The latest Integrity Checker Utility found here must be run PRIOR to upgrading your PCS appliance to ensure your appliance has not been impacted.

If the PCS version is installed:

Then deploy this version (or later) to resolve the issue:

Expected Release

Notes (if any)

Pulse Connect Secure 9.0RX & 9.1RX

Pulse Connect Secure 9.1R11.4

Available Now

Known cert issue for browser clients if upgrading from any version below 9.1R8. See KB44781

Document History:
April 20, 2021 - Initial advisory posted and workaround files posted under Download Centre.
May 3, 2021 - Added 3 (CVE-2021-22894, CVE-2021-22899, CVE-2021-22900) additional CVE’s and software posted to the Download Centre.
May 25, 2021 - Highlighted upgrade process including running the Integrity Checker Utility prior to upgrade.

LEGAL DISCLAIMER

• THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HERE FROM IS AT THE USER’S OWN RISK. PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
• A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS. THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.

Workaround

CVE-2021-22893, CVE-2021-22894, CVE-2021-22899 can be mitigated by importing the Workaround-2104.xml file.

Impact: XML File disables the following features under PCS appliance.

• Windows File Share Browser
• Pulse Secure Collaboration

We are using the blacklisting feature to disable the URL-Based Attack.

Download

Download (Download Center at https://my.pulsesecure.net)

Note:

• XML file is the zipped format, please unzip and then import the XML file.
• Import of this XML into any one node of a Cluster is enough.

Customers can download and import the file under the following location:
Go to Maintenance > Import/Export > Import XML. Import the file.

• This disables the Pulse Collaboration & Windows File Share browser functionality.
• If there is a load balancer in front of the PCS, this may affect the Load Balancer.
  • If your load balancer is using round-robin or using HealthCheck.cgi or advanced healthcheck.cgi, it will not be affected.

Disable the Windows File Browser and Pulse Collaboration on the Admin UI following the steps below,

• Navigate to User > User Role > Click Default Option >> Click on General
• Under the Access Feature, make sure the “Files, Window” & “Meetings” options are not checked.
• Go to Users > User Roles
• Click on each role in turn and ensure under the Access Feature of each role, the File, Windows & Meetings options are not enabled.

There is no need to reboot or restart services under the Pulse Secure Appliance.

The URIs are as follows in case you want to block them at your network edge using an inline load balancer doing SSL decryption:

^/+dana/+meeting
^/+dana/+fb/+smb
^/+dana-cached/+fb/+smb
^/+dana-ws/+namedusers
^/+dana-ws/+metric

This is only possible if there is an inline load balancer that does SSL decryption.

NOTE: When you apply the 9.1R11.4 release fix, please remove the workaround with the following steps:

• Importing the attached file remove-workaround-2104.xml (found in the same download location as the Workaround-2104.xml Download (Download Center at https://my.pulsesecure.net))
• Restore the previous settings for “Files, Windows” & "Meetings".

Limitations:

• Workaround-2014.xml does not work 9.0R1 - 9.0R4.1 or 9.1R1-9.1R2. If your PCS is running one of these versions, upgrade before doing the import.
• The workaround is not recommended for a license server. We recommend minimizing who can connect to a license server. For example, place a license server on a management VLAN, or have a firewall enforce source-IP restrictions.

Implementation

Frequently Asked Questions (FAQ):

Question 1: Why do I need to run the latest version of the Integrity Checker Tool prior to upgrading to the latest PCS release?
Answer: Running the Integrity Checker Tool against unsupported PCS versions will not return scan results. Please see the ICT KB for details on the expected output. To validate the supported versions of the Integrity Checker Tool against the supported PCS versions please visit KB44755 - Pulse Connect Secure (PCS) Integrity Assurance

Question 1: What if I upgraded to 9.1r11.4 without running, or ran an unsupported version, of the Integrity Checker Tool?
Answer: Pulse Secure recommends rolling back to the previous version using the administrator console to run the latest version of Integrity Checker Tool given the nature of the threat actors ability to allow persistency throughout upgrade.

1. Take system offline

2. Roll back to previous version

3. Run ICT on previous version

4. If clean, then upgrade again

5. If file additions/mismatches are found follow the mitigation steps mentioned here: KB44764 - Customer FAQ: PCS Security Integrity Tool Enhancements

NOTE: Only one rollback version is stored in the rollback partition. I.E. if you upgraded from 9.1r11 to 9.1r11.3 then to 9.1r11.4 you will only be able to rollback to 9.1r11.3.

Question 3: I’ve already applied the XML do I need to install 9.1R11.4?
Answer: If you are on 9.1R9 or above and have applied the XML we are still recommending moving to 9.1R11.4 to fully patch against the latest vulnerabilities.

If you are running any version below 9.1R9 even with the applied XML you are susceptible to old vulnerabilities so we highly recommend upgrading to 9.1R9 or R10 code branches with the applied XML or 9.1R11.4.

Question 4: Will the device reboot after importing the XML File?
Answer: No, the Workaround-2104.xml file does not reboot or restart services under the Pulse Secure Appliance.

Question 5: We are using A/A or A/P Cluster, do we need to import the XML file individually on each node?
Answer: No, we need to import Workaround-2104.xml under one node, the cluster will sync the configuration between nodes.

Question 6: ****How do I upgrade Pulse Connect Secure to resolve this vulnerability?****
Answer: Download a fixed version of the Pulse Connect Secure available from the Licensing & Download Center at https://my.pulsesecure.net. For upgrade documentation, please refer to:

• Upgrade PCS Cluster
• Upgrade PCS Standalone Device

Question 7: I do not have access to my.pulsesecure.net to download the recommended PCS version?
Answer: Please refer KB40031 to Onboarding at my.pulsesecure.net. If you face any issues, please contact Pulse Secure Global Support Center.

Question 8: How we can restore File Share & Meeting functionality post-upgrade to the 9.1R11.4 PCS version?
Answer: Post upgrade to PCS 9.1R11.4, Please import the remove-workaround-2104.xml to restore the settings.

• Download the remove-workaround-2104.xml (found in the same download location as the Workaround-2104.xml Download (Download Center at https://my.pulsesecure.net))
  • # Once redirected to my.pulsesecure.net
    # Login to my.pulsesecure.net
    # Click Software Licensing and Download
    # Select Pulse License and Download Center
    # Software Download (LEFT)
    # Select the Product Line and Product Type as Pulse Connect Secure >>
    # Click on Download for “Pulse Connect Secure SA44784 Workaround XML”
    # Accept to compliance and Agreement
    # Select View detail under “ps-pcs-sa-44784-remove-workaround-2104.xml.zip”
    # Scroll down and click on Download.
• Go to Maintenance > Import/Export > Import XML. Import the remove-workaround-2104.xml.
• It will restore Pulse Collaboration & Windows File Share browser functionality.

CVSS Score

10 Critical 3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Alert Type

SA - Security Advisory