CVE-2021-22893: Pulse Connect Secure RCE Vulnerability Alert
Vulnerability Detail
A vulnerability was discovered under Pulse Connect Secure (PCS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment.
Affected version
- Pulse Connect Secure 9.0R3 and Higher
Solution
Go to Maintenance > Import/Export > Import XML. Import the file.
- This disables the Pulse Collaboration.
- If there is a load balancer in front of the PCS, this may affect the Load Balancer.
- If your load balancer is using round robin or using HealthCheck.cgi or advanced healthcheck.cgi, it will not be affected.
Disable the Windows File Browser
- Navigate to User > User Role > Click Default Option >> Click on General
- Under the Access Feature, make sure the “Files, Window” option is not checked.
- Go to Users > User Roles
- Click on each role in turn and ensure under the Access Feature of each role, the File, Windows option is not enabled.