CVE-2021-22900
📋 TL;DR
This vulnerability in Pulse Connect Secure allows authenticated administrators to upload malicious archives that can write arbitrary files to the system. It affects Pulse Connect Secure versions before 9.1R11.4. Attackers with admin credentials could exploit this to potentially execute code or modify system files.
💻 Affected Systems
- Pulse Connect Secure
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with compromised admin credentials could upload malicious archives to write arbitrary files, potentially leading to remote code execution, system compromise, or data exfiltration.
Likely Case
Authenticated attackers could write files to the system, potentially enabling persistence mechanisms, configuration changes, or privilege escalation.
If Mitigated
With proper access controls and monitoring, impact would be limited to file writes within the application's context, though this could still enable further exploitation.
🎯 Exploit Status
Exploitation requires administrator credentials. CISA has confirmed active exploitation in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.1R11.4 and later
Vendor Advisory: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/?kA23Z000000boUWSAY
Restart Required: Yes
Instructions:
1. Download Pulse Connect Secure 9.1R11.4 or later from the Pulse Secure support portal. 2. Backup current configuration. 3. Apply the update following vendor documentation. 4. Restart the service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit administrative access to only trusted IP addresses and require multi-factor authentication.
Monitor File Uploads
allImplement monitoring for archive uploads in the admin interface and alert on suspicious activity.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Pulse Connect Secure from critical systems
- Enforce strong authentication and monitoring for all administrative accounts
🔍 How to Verify
Check if Vulnerable:
Check the Pulse Connect Secure version via the admin web interface or CLI. If version is below 9.1R11.4, the system is vulnerable.Check Version:
From CLI: show version or via web interface: System > Maintenance > Software UpdatesVerify Fix Applied:
Verify the version is 9.1R11.4 or higher and check that the patch was applied successfully via the system logs.📡 Detection & Monitoring
Log Indicators:
- Unusual archive file uploads in admin logs
- Multiple failed upload attempts
- Suspicious admin login patterns
Network Indicators:
- Unusual traffic to admin interface from unexpected sources
- Large file uploads to admin endpoints
SIEM Query:
source="pulse_secure" AND (event="file_upload" OR event="archive_upload") AND user_role="admin"