{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/213092#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nPulse Connect Secure (PCS) gateway contains a use-after-free vulnerability that can allow an unauthenticated remote attacker to execute arbitrary code.\r\n\r\n### Description\r\n**CVE-2021-22893**\r\n\r\nA use-after-free vulnerability that can be reached via a license server handling endpoint may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable Pulse Connect Secure gateway system. \r\n\r\nEvery system that is running PCS 9.0R3 or higher or 9.1R1 through 9.2R11.3 is affected. Having the license server configuration enabled is **NOT** a prerequisite to being vulnerable. The vulnerable endpoints are present regardless of whether the system is an actual license server or not.\r\n\r\nThis vulnerability is being [exploited in the wild](https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html).\r\n\r\n### Impact\r\nBy making a crafted request to a vulnerable Pulse Connect Secure system, an unauthenticated remote attacker may be able to execute arbitrary code on the gateway with root privileges.\r\n\r\n\r\n### Solution\r\n\r\n#### Apply an update\r\nThis vulnerability and others are [addressed](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/) in Pulse Connect Secure 9.1R11.4.\r\n\r\n#### Apply a workaround\r\n\r\nIf you are not using the features that the following workaround disables, we recommend applying the XML workaround even on systems that have been upgraded to 9.1R11.4 to reduce attack surface. Pulse Secure has published a [Workaround-2104.xml](https://my.pulsesecure.net/) file that contains mitigations to protect against this and other vulnerabilities.  [Importing this XML workaround](https://docs.pulsesecure.net/WebHelp/PCS/9.1R1/AG/Content/PCS/PCS_AdminGuide_9.1R1/Importing_an_XML_Configuration.htm) will activate the protections immediately and does not require any downtime for the VPN system. This workaround will block requests that match the following URI patterns:  \r\n```\r\n^/+dana/+meeting\r\n^/+dana/+fb/+smb\r\n^/+dana-cached/+fb/+smb\r\n^/+dana-ws/+namedusers\r\n^/+dana-ws/+metric\r\n```\r\n\r\nNote that installing this workaround will block the ability to use the following features:\r\n\r\n* Windows File Share Browser\r\n* Pulse Secure Collaboration\r\n* License Server\r\n\r\nInstead of using the workaround to protect a PCS that is being used as a license server, we recommend updating such systems to PCS 9.1R11.4. If this is not possible, restrict which IP addresses are allowed to communicate with the system.\r\n\r\n#### Run the PCS Integrity Assurance utility\r\n\r\nA PCS administrator should run the [PCS Integrity Assurance](https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755) utility to help determine if a system has evidence that it has been compromised. Please be aware of two limitations of this tool:\r\n\r\n1. Upon completion of the Integrity Assurance tool, the PCS device will automatically reboot.\r\n2. Because running the Integrity Assurance tool relies on the use of the administrative web interface of the PCS device itself, it is reasonable to assume that it may be possible for a compromised device to display misleading results.\r\n\r\n#### Enable Unauthenticated Request logging\r\n\r\nBy default, PCS devices do not log unauthenticated web requests. Additionally, the administrative interface for a PCS device will warn that: *Selecting this can quickly fill up User access log space in case of attack*.\r\n\r\nBecause this vulnerability is exploitable via an unauthenticated request to the PCS, evidence of exploitation may only be present if the \"Unauthenticated Requests\" logging option is enabled. Enable this feature in the PCS administrative web interface by visiting:\r\nSystem -> Log/Monitoring -> User Access -> Settings\r\nand enabling the \"Unauthenticated Requests\" option.\r\n\r\n#### Enable remote logging\r\n\r\nAttackers who have compromised a PCS device may delete on-device logs in the process. For this reason, [configure a remote Syslog server](https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB22227) to ensure that PCS log entries are not modified or deleted.\r\n\r\n\r\n### Acknowledgements\r\nThis vulnerability was publicly reported by Pulse Secure with additional details and context published by Fireye.\r\n\r\nThis document was written by Chuck Yarbrough and Will Dormann.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/213092"},{"url":"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/","summary":"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/"},{"url":"https://blog.pulsesecure.net/pulse-connect-secure-security-update/","summary":"https://blog.pulsesecure.net/pulse-connect-secure-security-update/"},{"url":"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html","summary":"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"},{"url":"https://www.bleepingcomputer.com/news/security/pulse-secure-vpn-zero-day-used-to-hack-defense-firms-govt-orgs/","summary":"https://www.bleepingcomputer.com/news/security/pulse-secure-vpn-zero-day-used-to-hack-defense-firms-govt-orgs/"},{"url":"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/","summary":"Reference(s) from vendor \"Pulse Secure\""},{"url":"https://blog.pulsesecure.net/pulse-connect-secure-security-update/","summary":"Reference(s) from vendor \"Pulse Secure\""},{"url":"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html","summary":"Reference(s) from vendor \"Pulse Secure\""},{"url":"https://www.bleepingcomputer.com/news/security/pulse-secure-vpn-zero-day-used-to-hack-defense-firms-govt-orgs/","summary":"Reference(s) from vendor \"Pulse Secure\""}],"title":"Pulse Connect Secure contains a use-after-free vulnerability","tracking":{"current_release_date":"2021-05-19T13:05:47+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#213092","initial_release_date":"2021-04-20 00:00:00+00:00","revision_history":[{"date":"2021-05-19T13:05:47+00:00","number":"1.20210519130547.13","summary":"Released on 2021-05-19T13:05:47+00:00"}],"status":"final","version":"1.20210519130547.13"}},"vulnerabilities":[{"title":"Unspecified RCE vulnerability.","notes":[{"category":"summary","text":"Unspecified RCE vulnerability"}],"cve":"CVE-2021-22893","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#213092"}],"product_status":{"known_affected":["CSAFPID-e0888448-3a6f-11f1-a172-0afffb3ee71d"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Pulse Secure","product":{"name":"Pulse Secure Products","product_id":"CSAFPID-e0888448-3a6f-11f1-a172-0afffb3ee71d"}}]}}