CVE-2021-22965
📋 TL;DR
An unauthenticated administrator can cause denial of service on Pulse Connect Secure devices by sending malformed requests. This affects Pulse Connect Secure versions before 9.1R12.1, potentially disrupting VPN connectivity for organizations using this product.
💻 Affected Systems
- Pulse Connect Secure
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of Pulse Connect Secure VPN gateway, preventing all remote access and VPN connectivity for the organization.
Likely Case
Temporary service interruption requiring device restart, disrupting VPN access for remote users until service is restored.
If Mitigated
Minimal impact with proper network segmentation and monitoring allowing quick detection and response to DoS attempts.
🎯 Exploit Status
The vulnerability requires sending malformed requests to the device's management interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.1R12.1 and later
Vendor Advisory: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44879/?kA13Z000000L3ZF
Restart Required: Yes
Instructions:
1. Download Pulse Connect Secure 9.1R12.1 or later from Pulse Secure support portal. 2. Backup current configuration. 3. Apply the update through the web management interface. 4. Restart the appliance as prompted.
🔧 Temporary Workarounds
Restrict Management Interface Access
allLimit access to Pulse Connect Secure management interface to trusted IP addresses only.
Configure firewall rules to restrict access to Pulse Connect Secure management IP/ports from authorized networks only
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the Pulse Connect Secure management interface
- Monitor for unusual traffic patterns or repeated connection attempts to the management interface
🔍 How to Verify
Check if Vulnerable:
Check Pulse Connect Secure version in web management interface under System > Maintenance > Software UpdatesCheck Version:
No CLI command - check via web interface at System > Maintenance > Software UpdatesVerify Fix Applied:
Verify version shows 9.1R12.1 or later after patching and confirm normal operation📡 Detection & Monitoring
Log Indicators:
- Multiple malformed HTTP requests to management interface
- Unexpected service restarts or crashes
Network Indicators:
- Unusual traffic patterns to Pulse Connect Secure management port (typically 443)
- Repeated connection attempts from untrusted sources
SIEM Query:
source="pulse_secure" AND (event_type="service_restart" OR http_request contains "malformed")