Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
6

CVE-2021-22893

Disclosure Date: April 23, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Command and Control
Techniques
Validation
Validated
Credential Access
Techniques
Validation
Validated
Validated
Defense Evasion
Techniques
Validation
Validated
Validated
Validated
Validated
Discovery
Techniques
Validation
Validated
Validated
Validated
Validated
Execution
Techniques
Validation
Validated
Validated
Validated
Validated
Exfiltration
Techniques
Validation
Validated
Initial Access
Techniques
Validation
Validated
Validated
Validated
Validated
Validated
Validated
Validated
Validated
Persistence
Techniques
Validation
Validated
Validated
Validated
Validated
Privilege Escalation
Techniques
Validation
Validated
Validated

Description

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Add Assessment

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Pulse Secure Pulse Connect Secure 9.1.R.11.3 and earlier are affected by an authenticated bypass vulnerability, CVE-2021-22893, when exploited it is very likely the threat actor can achieve remote code execution. Exploitation has been observed by APT 5 (UNC2630) and UNC2717.

A Proof-of-Concept exploit is not publicly available.

CVSS V3 Severity and Metrics
Base Score:
10.0 Critical
Impact Score:
6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Changed
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Products

  • Pulse Connect Secure

Exploited in the Wild

Reported by:
Reported: April 19, 2021 9:20pm UTC (3 weeks ago) Edited 3 weeks ago
Reported: April 21, 2021 2:01pm UTC (3 weeks ago) Edited 3 weeks ago
Reported: April 21, 2021 3:26pm UTC (3 weeks ago)
Technical Analysis

On Tuesday, April 20, 2021, security firm FireEye published detailed analysis of multiple APT campaigns targeting vulnerabilities in Ivanti’s Pulse Connect Secure VPN. According to FireEye’s analysis, threat actors have been leveraging multiple techniques to bypass single and multi-factor authentication on Pulse Secure VPN devices, establish persistence across updates, and maintain access via webshells. One of the vulnerabilities under active exploitation by multiple threat groups is CVE-2021-22893, a zero-day authentication bypass detailed in an out-of-band Pulse Secure security advisory published April 20, 2021. The vulnerability allows remote, unauthenticated attackers to execute arbitrary code and carries a CVSSv3 base score of 10.

Affected versions

Rapid7 analysis

CVE-2021-22893 mitigation file Workaround-2104.xml contains encrypted content:

<configuration xmlns="http://xml.pulsesecure.net/ive-sa/9.0R5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" iveData="3166" saData="3104">
    <system>
        <configuration>
            <security>
            <blacklists>
                    <patch>
                        <name>2104-a</name>
                        <content-encrypted>3u+UR6n8AgABAAAAkMVZR4MWAWw8PJFpYwTzo/15TvQnKFfLbsJa7faJbBaMaBb2eYML+wMCviGQhDOu</content-encrypted>
                    </patch>
                    <patch>
                        <name>2104-b</name>
                        <content-encrypted>3u+UR6n8AgABAAAAL5MzPwRL3TN4CW7T0Sw/XJxpCut18uLfFj+ggllEaP+0tqz5nsfv1+EMBgPBCfXR</content-encrypted>
                    </patch>
                    <patch>
                        <name>2104-c</name>
                        <content-encrypted>3u+UR6n8AgABAAAAHKgo/bDnsClZHYtGvqVQukYo27henSaachy3VzDugEr3fCQfUxd4lTBiCAzqEeXQ</content-encrypted>
                    </patch>
                    <patch>
                        <name>2104-d</name>
                        <content-encrypted>3u+UR6n8AgABAAAAcrasNQDd0ZJPX2Bm0+5RAPSBFPfG3lQ6R8De0SqBSXUfIfvr4dH6bmrux6dEMEm4</content-encrypted>
                    </patch>
                    <patch>
                        <name>2104-e</name>
                        <content-encrypted>3u+UR6n8AgABAAAAAn2J/w07x+MjLatn9i8fRZUndUlJmY0+I8l2IT//1sUvIdcPCGQOStDB5e95cAap</content-encrypted>
                    </patch>
                </blacklists>
           </security>
        </configuration>
    </system>
</configuration>

The decrypted content can be retrieved from cache using the /home/bin/dsget command:

root@localhost2:/# for i in {a..e}; do dsget "/vc0/config/blacklists/patch_2104-$i/content"; done
< {a..e}; do dsget "/vc0/config/blacklists/patch_2104-$i/content"; done
^/+dana/+meeting
^/+dana/+fb/+smb
^/+dana-cached/+fb/+smb
^/+dana-ws/+namedusers
^/+dana-ws/+metric
root@localhost2:/#

Endpoints matching the URI patterns above typically require authentication.

Guidance

Pulse Secure has issued a workaround in the form of an XML file that mitigates CVE-2021-22893 until a more permanent patch is available. Pulse Connect Secure customers should import the Workaround-2104.xml file, which blocks access to the Windows File Share Browser and Pulse Secure Collaboration features on the PCS appliance. According to the company’s out-of-band advisory, they are using an existing blocklist feature to disable the URL-based attack. Rapid7 researchers were able to decrypt the blocklist’s URI patterns, which are as follows:

  • ^/+dana/+meeting
  • ^/+dana/+fb/+smb
  • ^/+dana-cached/+fb/+smb
  • ^/+dana-ws/+namedusers
  • ^/+dana-ws/+metric

In addition to applying the workaround, customers may want to block these patterns at their network perimeter (requires an inline load balancer capable of performing SSL decryption). Pulse Secure has since updated their advisory with the unencrypted patterns. Customers with shell access to their appliance may run the following command to confirm that the blocklist is in place:

for i in {a..e}; do /home/bin/dsget "/vc0/config/blacklists/patch_2104-$i/content"; done

Pulse Connect Secure customers running versions 9.0R3 and up should apply the workaround immediately, without waiting for a regular patch or maintenance cycle to occur. We would also advise running Ivanti’s Integrity Tool to examine your Pulse Connect Secure images for files that may have been maliciously altered or added.

References