Reset Search
 

 

Article

SA44784 - 2021-04: Out-of-Cycle Advisory: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4

« Go Back

Information

 
Product AffectedPulse Connect Secure
Problem
Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. Many of these vulnerabilities have a critical CVSS score and pose a significant risk to your deployment.

Refer to KB43892 - What releases will Pulse Secure apply fixes to resolve security vulnerabilities? for our End of Engineering (EOE) and End of Life (EOL) policies.

The table below provides details of the vulnerability:
 
CVECVSS Score (V3.1)SummaryProduct Affected
CVE-2021-2289310 Critical
3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Multiple use after free in Pulse Connect Secure before 9.1R11.4 allows a remote unauthenticated attacker to execute arbitrary code via license server web services.
PCS 9.0R3/9.1R1 and Higher
 
CVE-2021-228949.9 Critical CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HBuffer overflow in Pulse Connect Secure Collaboration Suite before 9.1R11.4 allows a remote authenticated users to execute arbitrary code as the root user via maliciously crafted meeting room.PCS:
9.1Rx
9.0Rx
CVE-2021-228999.9 Critical CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HCommand Injection in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated users to perform remote code execution via Windows File Resource Profiles.PCS:
9.1Rx
9.0Rx
CVE-2021-229007.2 High
3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 allow an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.PCS:
9.1Rx
9.0Rx
Solution

The solution for these vulnerabilities is to upgrade the Pulse Connect Secure server software version to the 9.1R.11.4. 
 

If the PCS version is installed:Then deploy this version (or later) to resolve the issue:Expected ReleaseNotes (if any)
Pulse Connect Secure 9.0RX & 9.1RXPulse Connect Secure 9.1R11.4Available NowKnown cert issue for browser clients if upgrading from any version below 9.1R8.  See 

KB44781

Document History:
April 20, 2021 - Initial advisory posted and workaround files posted under Download Centre.
May 3, 2021 - Added 3 (CVE-2021-22894, CVE-2021-22899, CVE-2021-22900) additional CVE's and software posted to the Download Centre.

LEGAL DISCLAIMER

  • THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.  USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HERE FROM IS AT THE USER’S OWN RISK.  PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
  • A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS.  THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.
Workaround
CVE-2021-22893, CVE-2021-22894, CVE-2021-22899 can be mitigated by importing the Workaround-2104.xml file.

Impact: XML File disables the following features under PCS appliance.
  • Windows File Share Browser
  • Pulse Secure Collaboration
We are using the blacklisting feature to disable the URL-Based Attack.
 
DownloadDownload (Download Center at https://my.pulsesecure.net)
Note:
  • XML file is the zipped format, please unzip and then import the XML file.
  • Import of this XML into any one node of a Cluster is enough.
User-added image

Customers can download and import the file under the following location:
Go to Maintenance > Import/Export > Import XML. Import the file. 
  • This disables the Pulse Collaboration & Windows File Share browser functionality.
  • If there is a load balancer in front of the PCS, this may affect the Load Balancer.
    • If your load balancer is using round-robin or using HealthCheck.cgi or advanced healthcheck.cgi, it will not be affected.
Disable the Windows File Browser and Pulse Collaboration on the Admin UI following the steps below,
  • Navigate to User > User Role > Click Default Option >> Click on General 
  • Under the Access Feature, make sure the "Files, Window" & "Meetings" options are not checked.
  • Go to Users > User Roles
  • Click on each role in turn and ensure under the Access Feature of each role, the File, Windows & Meetings options are not enabled.
There is no need to reboot or restart services under the Pulse Secure Appliance.
The URIs are as follows in case you want to block them at your network edge using an inline load balancer doing SSL decryption:

^/+dana/+meeting
^/+dana/+fb/+smb
^/+dana-cached/+fb/+smb
^/+dana-ws/+namedusers
^/+dana-ws/+metric

This is only possible if there is an inline load balancer that does SSL decryption.  

NOTE: When you apply the 9.1R11.4 release fix, please remove the workaround with the following steps:
  • Importing the attached file remove-workaround-2104.xml (found in the same download location as the Workaround-2104.xml Download (Download Center at https://my.pulsesecure.net))
  • Restore the previous settings for "Files, Windows" & "Meetings".

Limitations:
  • Workaround-2014.xml does not work 9.0R1 - 9.0R4.1 or 9.1R1-9.1R2. If your PCS is running one of these versions, upgrade before doing the import.
  • The workaround is not recommended for a license server. We recommend minimizing who can connect to a license server. For example, place a license server on a management VLAN, or have a firewall enforce source-IP restrictions. 
Implementation

Frequently Asked Questions (FAQ):

Question 1: I've already applied the XML do I need to install 9.1R11.4?
Answer: If you are on 9.1R9 or above and have applied the XML we are still recommending moving to 9.1R11.4 to fully patch against the latest vulnerabilities. 

If you are running any version below 9.1R9 even with the applied XML you are susceptible to old vulnerabilities so we highly recommend upgrading to 9.1R9 or R10 code branches with the applied XML or 9.1R11.4.

Question 2: Will the device reboot after importing the XML File?
Answer: No, the Workaround-2104.xml file does not reboot or restart services under the Pulse Secure Appliance.

Question 3: We are using A/A or A/P Cluster, do we need to import the XML file individually on each node?
Answer: No, we need to import Workaround-2104.xml under one node, the cluster will sync the configuration between nodes.

Question 4: How do I upgrade Pulse Connect Secure / Pulse Policy Secure to resolve this vulnerability?
Answer:  Download a fixed version of the Pulse Connect Secure or Pulse Policy Secure available from the Licensing & Download Center at https://my.pulsesecure.net.  For upgrade documentation, please refer to:


Question 5:  I do not have access to my.pulsesecure.net to download the recommended PCS version?
Answer: Please refer KB40031 to Onboarding at my.pulsesecure.net. If you face any issues, please contact Pulse Secure Global Support Center.

Question 6:  How we can restore File Share & Meeting functionality post-upgrade to the 9.1R11.4 PCS version?
Answer: Post upgrade to PCS 9.1R11.4, Please import the remove-workaround-2104.xml to restore the settings.

  • Download the remove-workaround-2104.xml (found in the same download location as the Workaround-2104.xml Download (Download Center at https://my.pulsesecure.net))
    • # Once redirected to my.pulsesecure.net
      # Login to my.pulsesecure.net
      # Click Software Licensing and Download
      # Select Pulse License and Download Center
      # Software Download (LEFT)
      # Select the Product Line and Product Type as Pulse Connect Secure >>
      # Click on Download for "Pulse Connect Secure SA44784 Workaround XML"
      # Accept to compliance and Agreement
      # Select View detail under "ps-pcs-sa-44784-remove-workaround-2104.xml.zip"
      # Scroll down and click on Download.
  • Go to Maintenance > Import/Export > Import XML. Import the remove-workaround-2104.xml.
  • It will restore Pulse Collaboration & Windows File Share browser functionality.
Related Links
CVSS Score10 Critical 3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Risk Assessment
Acknowledgements
Alert TypeSA - Security Advisory
Risk LevelCritical
Attachment 1 
Attachment 2 
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255