CVE-2021-22937
📋 TL;DR
This vulnerability allows authenticated administrators on Pulse Connect Secure appliances to write arbitrary files by uploading a maliciously crafted archive through the web interface. This could lead to remote code execution or system compromise. Only administrators with web interface access are affected.
💻 Affected Systems
- Pulse Connect Secure
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise leading to data exfiltration, lateral movement, or persistent backdoor installation
Likely Case
Unauthorized file modification leading to configuration changes, privilege escalation, or denial of service
If Mitigated
Limited impact due to strict access controls and monitoring preventing malicious archive uploads
🎯 Exploit Status
Requires authenticated administrator access to the web interface
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.1R12 or later
Vendor Advisory: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858/?kA23Z000000L6oySAC
Restart Required: Yes
Instructions:
1. Download Pulse Connect Secure 9.1R12 or later from Pulse Secure support portal. 2. Backup current configuration. 3. Apply the update via the admin web interface. 4. Restart the appliance. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Administrator Access
allLimit administrative access to only trusted IP addresses and users
Disable Unnecessary Admin Features
allDisable archive upload functionality if not required
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Pulse Connect Secure appliances
- Enable detailed logging and monitoring for file upload activities and administrator actions
🔍 How to Verify
Check if Vulnerable:
Check the Pulse Connect Secure version in the admin web interface under System > Maintenance > Version InformationCheck Version:
ssh admin@<pulse-ip> show versionVerify Fix Applied:
Verify version is 9.1R12 or later in the admin web interface📡 Detection & Monitoring
Log Indicators:
- Unusual file upload activities in admin logs
- Archive file uploads with suspicious names or sizes
- Administrator login from unexpected locations
Network Indicators:
- HTTP POST requests to admin interface with file uploads
- Unusual outbound connections from Pulse appliance
SIEM Query:
source="pulse_secure" AND (event_type="file_upload" OR action="archive_upload")