Security Bulletin: Pulse Connect Secure RCE Vulnerability (CVE-2021-22893)

What was announced?

A recently identified vulnerability that includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment.

 

Solution

The solution for these vulnerabilities is to upgrade the Pulse Connect Secure server software version to the 9.1R.11.4.

 

Workaround

CVE-2021-22893 can be mitigated by importing the Workaround-2104.xml file.

 

Workaround Impact: XML File disables the following features under PCS appliance.

  • – Windows File Share Browser
  • – Pulse Secure Collaboration

We are using the blacklisting feature to disable the URL-Based Attack.

 

Resources

Additional details are available in Pulse Secure’s Knowledge Base.

Integration Partners is here is to assist, so please use the form below, or reach out to your Account Executive, Sales Engineer, or our Network Operations Center at 781.357.8100.