CVE-2021-22893
📋 TL;DR
CVE-2021-22893 is an authentication bypass vulnerability in Pulse Connect Secure that allows unauthenticated attackers to execute arbitrary code on the gateway. This affects Pulse Connect Secure versions 9.0R3/9.1R1 and higher with Windows File Share Browser or Pulse Secure Collaboration features enabled. The vulnerability has been actively exploited in real-world attacks.
💻 Affected Systems
- Pulse Connect Secure
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Pulse Connect Secure gateway leading to lateral movement into internal networks, data exfiltration, and persistent backdoor installation.
Likely Case
Remote code execution leading to credential theft, network reconnaissance, and installation of web shells or other malware.
If Mitigated
Limited impact if proper network segmentation and monitoring are in place, though gateway compromise still occurs.
🎯 Exploit Status
Actively exploited by APT groups in the wild. Multiple exploit variants have been observed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.1R11.4, 9.0R13.4, 8.3R22.2, and later versions
Vendor Advisory: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/
Restart Required: Yes
Instructions:
1. Download the appropriate patch from Pulse Secure support portal. 2. Backup current configuration. 3. Apply the patch via the admin interface. 4. Reboot the appliance. 5. Verify patch installation and functionality.
🔧 Temporary Workarounds
Disable vulnerable features
allDisable Windows File Share Browser and Pulse Secure Collaboration features if not required
Navigate to Users > User Roles > Edit Role > Resource Policies > Disable Windows File Share Browser and Pulse Secure Collaboration
Network segmentation
allIsolate Pulse Connect Secure appliance from critical internal networks
🧯 If You Can't Patch
- Immediately disable Windows File Share Browser and Pulse Secure Collaboration features
- Implement strict network segmentation and firewall rules to limit gateway access
🔍 How to Verify
Check if Vulnerable:
Check if running affected versions (9.0R3/9.1R1 or higher) and verify if Windows File Share Browser or Pulse Secure Collaboration features are enabled in the admin interface.Check Version:
Login to admin interface and check System > Maintenance > Software Updates or run 'show version' via CLIVerify Fix Applied:
Verify version is patched (9.1R11.4, 9.0R13.4, 8.3R22.2 or later) and check patch status in System > Maintenance > Software Updates.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts
- Unexpected file uploads to /dana-na/auth/url_admin/ endpoints
- Suspicious process execution
Network Indicators:
- Unusual outbound connections from Pulse appliance
- Traffic to known malicious IPs
- Anomalous HTTP requests to admin interfaces
SIEM Query:
source="pulse_secure" AND (uri_path="/dana-na/auth/url_admin/*" OR event_description="authentication bypass")🔗 References
- https://blog.pulsesecure.net/pulse-connect-secure-security-update/
- https://kb.cert.org/vuls/id/213092
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/
- https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
- https://blog.pulsesecure.net/pulse-connect-secure-security-update/
- https://kb.cert.org/vuls/id/213092
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/
- https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
- https://www.kb.cert.org/vuls/id/213092
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22893
