Very High
CVE-2021-22893
CVE-2021-22893
Description
Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.
Add Assessment
Technical Analysis
Pulse Secure Pulse Connect Secure 9.1.R.11.3 and earlier are affected by an authenticated bypass vulnerability, CVE-2021-22893, when exploited it is very likely the threat actor can achieve remote code execution. Exploitation has been observed by APT 5 (UNC2630) and UNC2717.
A Proof-of-Concept exploit is not publicly available.
CVSS V3 Severity and Metrics
General Information
Vendors
- ivanti
Products
- connect secure 9.0,
- connect secure 9.1
Exploited in the Wild
References
Miscellaneous
Technical Analysis
On Tuesday, April 20, 2021, security firm FireEye published detailed analysis of multiple APT campaigns targeting vulnerabilities in Ivanti’s Pulse Connect Secure VPN. According to FireEye’s analysis, threat actors have been leveraging multiple techniques to bypass single and multi-factor authentication on Pulse Secure VPN devices, establish persistence across updates, and maintain access via webshells. One of the vulnerabilities under active exploitation by multiple threat groups is CVE-2021-22893, a zero-day authentication bypass detailed in an out-of-band Pulse Secure security advisory published April 20, 2021. The vulnerability allows remote, unauthenticated attackers to execute arbitrary code and carries a CVSSv3 base score of 10.
Affected versions
- 9.0R3 and higher of Pulse Connect Secure devices
According to Pulse Secure’s advisory, older versions are not affected.
Rapid7 analysis
CVE-2021-22893 mitigation file Workaround-2104.xml contains encrypted content:
<configuration xmlns="http://xml.pulsesecure.net/ive-sa/9.0R5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" iveData="3166" saData="3104"> <system> <configuration> <security> <blacklists> <patch> <name>2104-a</name> <content-encrypted>3u+UR6n8AgABAAAAkMVZR4MWAWw8PJFpYwTzo/15TvQnKFfLbsJa7faJbBaMaBb2eYML+wMCviGQhDOu</content-encrypted> </patch> <patch> <name>2104-b</name> <content-encrypted>3u+UR6n8AgABAAAAL5MzPwRL3TN4CW7T0Sw/XJxpCut18uLfFj+ggllEaP+0tqz5nsfv1+EMBgPBCfXR</content-encrypted> </patch> <patch> <name>2104-c</name> <content-encrypted>3u+UR6n8AgABAAAAHKgo/bDnsClZHYtGvqVQukYo27henSaachy3VzDugEr3fCQfUxd4lTBiCAzqEeXQ</content-encrypted> </patch> <patch> <name>2104-d</name> <content-encrypted>3u+UR6n8AgABAAAAcrasNQDd0ZJPX2Bm0+5RAPSBFPfG3lQ6R8De0SqBSXUfIfvr4dH6bmrux6dEMEm4</content-encrypted> </patch> <patch> <name>2104-e</name> <content-encrypted>3u+UR6n8AgABAAAAAn2J/w07x+MjLatn9i8fRZUndUlJmY0+I8l2IT//1sUvIdcPCGQOStDB5e95cAap</content-encrypted> </patch> </blacklists> </security> </configuration> </system> </configuration>
The decrypted content can be retrieved from cache using the /home/bin/dsget command:
root@localhost2:/# for i in {a..e}; do dsget "/vc0/config/blacklists/patch_2104-$i/content"; done < {a..e}; do dsget "/vc0/config/blacklists/patch_2104-$i/content"; done ^/+dana/+meeting ^/+dana/+fb/+smb ^/+dana-cached/+fb/+smb ^/+dana-ws/+namedusers ^/+dana-ws/+metric root@localhost2:/#
Endpoints matching the URI patterns above typically require authentication.
Guidance
Pulse Secure has issued a workaround in the form of an XML file that mitigates CVE-2021-22893 until a more permanent patch is available. Pulse Connect Secure customers should import the Workaround-2104.xml file, which blocks access to the Windows File Share Browser and Pulse Secure Collaboration features on the PCS appliance. According to the company’s out-of-band advisory, they are using an existing blocklist feature to disable the URL-based attack. Rapid7 researchers were able to decrypt the blocklist’s URI patterns, which are as follows:
^/+dana/+meeting
^/+dana/+fb/+smb
^/+dana-cached/+fb/+smb
^/+dana-ws/+namedusers
^/+dana-ws/+metric
In addition to applying the workaround, customers may want to block these patterns at their network perimeter (requires an inline load balancer capable of performing SSL decryption). Pulse Secure has since updated their advisory with the unencrypted patterns. Customers with shell access to their appliance may run the following command to confirm that the blocklist is in place:
for i in {a..e}; do /home/bin/dsget "/vc0/config/blacklists/patch_2104-$i/content"; done
Pulse Connect Secure customers running versions 9.0R3 and up should apply the workaround immediately, without waiting for a regular patch or maintenance cycle to occur. We would also advise running Ivanti’s Integrity Tool to examine your Pulse Connect Secure images for files that may have been maliciously altered or added.
References
- https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784 (CVE-2021-22893)
- https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755 (Pulse Connect Secure Integrity Tool)
