CVE-2021-31922
📋 TL;DR
CVE-2021-31922 is an HTTP request smuggling vulnerability in Pulse Secure Virtual Traffic Manager that allows attackers to bypass security controls by smuggling malicious HTTP requests through HTTP/2 headers. This affects organizations using vulnerable versions of Pulse Secure Virtual Traffic Manager as a reverse proxy or load balancer.
💻 Affected Systems
- Pulse Secure Virtual Traffic Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass authentication, access internal systems, steal sensitive data, or perform cache poisoning attacks against downstream servers.
Likely Case
Attackers could bypass security controls to access restricted resources or perform web cache poisoning to serve malicious content to users.
If Mitigated
With proper network segmentation and monitoring, impact would be limited to the affected proxy layer with minimal data exposure.
🎯 Exploit Status
HTTP request smuggling attacks are well-documented and tools exist for testing these vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, or 18.2R3
Vendor Advisory: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44790
Restart Required: Yes
Instructions:
1. Download the appropriate patch version from Pulse Secure support portal. 2. Backup current configuration. 3. Apply the patch following vendor instructions. 4. Restart the Virtual Traffic Manager service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable HTTP/2
allTemporarily disable HTTP/2 protocol support to prevent exploitation via HTTP/2 headers.
Navigate to Traffic Manager UI > System > Configuration > Protocols > HTTP/2 and disable
Restrict HTTP/2 to trusted clients
allConfigure access controls to limit HTTP/2 connections to trusted IP addresses only.
Use Traffic Manager's connection filtering rules to restrict HTTP/2 traffic
🧯 If You Can't Patch
- Implement strict input validation and sanitization for HTTP headers
- Deploy WAF with HTTP request smuggling protection rules
🔍 How to Verify
Check if Vulnerable:
Check the Virtual Traffic Manager version via admin interface or CLI. If version is before the patched versions listed, the system is vulnerable.Check Version:
ssh admin@vtrafficmanager "show version" or check via web admin interfaceVerify Fix Applied:
Verify the version has been updated to one of the patched versions and test HTTP/2 request handling with security testing tools.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP/2 header patterns
- Requests with malformed headers
- Unexpected backend server responses
Network Indicators:
- HTTP/2 traffic with unusual header sequences
- Requests that bypass expected security controls
SIEM Query:
source="pulse-vtm" AND (http_version="2" AND (header_length>threshold OR header_pattern="smuggle"))