A Vulnerability in Pulse Connect Secure VPN Could Allow for Remote Code Execution

DESCRIPTION:
A vulnerability has been discovered in Pulse Connect Secure VPN that
could allow for remote code execution. Pulse Connect Secure VPN provides
TLS and mobile VPN solutions. Successful exploitation of this
vulnerability could allow for remote code execution. Depending on the
privileges associated with the application, an attacker could then
install programs; view, change, or delete data; or create new accounts
with full user rights. Applications that are configured to have fewer
user rights on the system could be less impacted than those that operate
with administrative user rights.

IMPACT:
A vulnerability has been discovered in Pulse Connect Secure VPN that
could allow for remote code execution. The vulnerability allows an
unauthenticated user to perform remote arbitrary file execution on the
Pulse Connect Secure gateway, due to an authentication by-pass.
Specifically this issue affects Pulse Connect Secure gateway.
Exploitation of these vulnerabilities could facilitate remote code
execution, privilege escalation, and lateral access to enterprise,
operational technology, and cloud networks.

Successful exploitation of this vulnerability could allow for remote
code execution. Depending on the privileges associated with the
application, an attacker could then install programs; view, change, or
delete data; or create new accounts with full user rights. Applications
that are configured to have fewer user rights on the system could be
less impacted than those that operate with administrative user rights.

SYSTEM AFFECTED:
* Pulse Connect Secure prior to 9.1R.11.4

RECOMMENDATIONS:
We recommend the following actions be taken:
* Upgrade the Pulse Connect Secure server software version to the 9.1R.11.4
* Disabling Windows File Share Browser and Pulse Secure Collaboration
features
* Block external access at the network boundary, unless external parties
require service.
* If global access isn’t needed, filter access to the affected computer
at the network boundary. Restricting access to only trusted computers
and networks might greatly reduce the likelihood of successful exploits.
* Run all software as a nonprivileged user with minimal access rights.
To mitigate the impact of a successful exploit, run the affected
application as a user with minimal access rights.
* Deploy network intrusion detection systems to monitor network traffic
for malicious activity.
* Deploy NIDS to detect and block attacks and anomalous activity such as
requests containing suspicious URI sequences. Since the webserver may
log such requests, review its logs regularly.
* Implement multiple redundant layers of security. Since this issue may
be leveraged to execute code, we recommend memory-protection schemes,
such as nonexecutable stack/heap configurations and randomly mapped
memory segments. This tactic may complicate exploit attempts of
memory-corruption vulnerabilities.

REFERENCES:
https://www.bleepingcomputer.com/news/security/pulse-secure-vpn-zero-day-used-to-hack-defense-firms-govt-orgs/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22893
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784

Share