CVE-2021-22893: Pulse Connect Secure RCE Vulnerability Alert
Pulse Connect is an enterprise-class high-performance VPN system, which is widely used in enterprises. On April 20, 2021, PulseSecure released a risk notice for Pulse Connect Secure remote code execution, the vulnerability number is CVE-2021-22893 with the CVSS Score of 10.0.
Vulnerability Detail
A vulnerability was discovered under Pulse Connect Secure (PCS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment.
Affected version
- Pulse Connect Secure 9.0R3 and Higher
Solution
In this regard, we recommend that users upgrade the Pulse Connect Secure server software version to the 9.1R.11.4 in time.
Temporary repair suggestions
Go to Maintenance > Import/Export > Import XML. Import the file.
- This disables the Pulse Collaboration.
- If there is a load balancer in front of the PCS, this may affect the Load Balancer.
- If your load balancer is using round robin or using HealthCheck.cgi or advanced healthcheck.cgi, it will not be affected.
Disable the Windows File Browser
- Navigate to User > User Role > Click Default Option >> Click on General
- Under the Access Feature, make sure the “Files, Window” option is not checked.
- Go to Users > User Roles
- Click on each role in turn and ensure under the Access Feature of each role, the File, Windows option is not enabled.
