A vulnerability was discovered under Pulse Connect Secure (PCS).  This includes buffer overflow vulnerability on the Pulse Connect Secure gateway that allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user.

Refer to KB43892 - What releases will Pulse Secure apply fixes to resolve security vulnerabilities? per our End of Engineering (EOE) and End of Life (EOL) policies.

The table below provides details of the vulnerability:
 

CVE	CVSS	Summary	Product Affected
CVE-2021-22908	8.5 High 3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H	Buffer Overflow in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user. As of version 9.1R3, this permission is not enabled by default.	PCS 9.0Rx  9.1Rx

The solution for this vulnerability is to upgrade the Pulse Connect Secure server software version to 9.1R.11.5. 
 

If the PCS/PPS version is installed:	Then deploy this version (or later) to resolve the issue:	Expected Release	Notes (if any)
Pulse Connect Secure 9.0RX & 9.1RX	Pulse Connect Secure 9.1R11.5	Available Now

Document History:
May 14, 2021 - Initial advisory posted and workaround files posted under Download Centre.
June 11, 2021 - Software Release posted under Download Centre.

LEGAL DISCLAIMER

• THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.  USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HERE FROM IS AT THE USER’S OWN RISK.  PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
• A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS.  THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.

CVE-2021-22908 can be mitigated by importing the Workaround-2105.xml file.

Impact: XML File disables the following features under PCS appliance.

• Windows File Share Browser

We are using the blacklisting feature to disable the URL-Based Attack.
 

Download

Download (Download Center at https://my.pulsesecure.net)

Note:

• XML file is the zipped format, please unzip and then import the XML file.
• Import of this XML into any one node of a Cluster is enough.

Customers can download and import the file under the following location:
Go to Maintenance > Import/Export > Import XML. Import the file. 

• This disables the Windows File Share browser functionality.

There is no need to reboot or restart services under the Pulse Secure Appliance.

NOTE: When you apply the 9.1R11.5 release fix, please remove the workaround with the following steps:

• Importing the attached file remove-workaround-2105.xml (found in the same download location as the Workaround-2105.xml Download (Download Center at https://my.pulsesecure.net))

Limitations:

 Workaround.xml does not work 9.0R1 - 9.0R4.1 or 9.1R1-9.1R2. If your PCS is running one of these versions, upgrade before doing the import.

Frequently Asked Questions (FAQ):

Question 1: Will the device reboot after importing the XML File?
Answer: No, the Workaround-2105.xml file does not reboot or restart services under the Pulse Secure Appliance.

Question 2: I've already applied the workaround-2104.xml XML provided in SA44784, do I need to update the new XML File?
Answer: No, If you have already applied the Workaround-2104.xml file under the PCS appliance, then the 2105 XML file (Workaround-2105.xml) is not required.

• For customers running the 9.1R11.4 PCS version, they need to import 2105 XML (Workaround-2105.xml) and can remove the 2104 XML (Workaround-2104.xml).
• For customers running 9.1R11.3 or below the PCS version, they need to import 2104 XML (Workaround-2104.xml). Workaround-2104.xml block the same URL mentioned in 2105 XML (Workaround-2105.xml). Please refer to SA44784 for details.

Question 3: I've already applied the workaround-2104.xml XML provided in SA44784, what happens if I import the new XML (Workaround-2105.xml) under the PCS appliance?
Answer: Once you import the new Workaround-2105.xml, it will overwrite the existing workaround 2104 XML file under the PCS appliance. It is not recommended for customers running 9.1R11.3 or below PCS versions.

Question 4: I’m not currently running 9.1R11.4, do I need to apply the new Workaround-2105.xml to my non R11.4 PCS version?
Answer: No, For customers running 9.1R11.3 or below for their PCS version, they need to import the 2104 XML (Workaround-2104.xml). Workaround-2104.xml blocks the same URL mentioned in 2105 XML (Workaround-2105.xml). Please refer to SA44784 for details.

Question 5: We are using A/A or A/P Cluster, do we need to import the XML file individually on each node?
Answer: No, we need to import Workaround-2105.xml under one node, the cluster will sync the configuration between nodes.

Question 6: I do not have access to my.pulsesecure.net to download the recommended PCS version?
Answer: Please refer KB40031 to Onboarding at my.pulsesecure.net. If you face any issues, please contact Pulse Secure Global Support Center.

Question 7: How we can disable file Windows File Browser from user roles & can we disable this feature as a workaround?
Answer: Disabling the Windows File Browser under the Admin UI cannot be used as a workaround. Please import the Workaround-2105.xml under PCS as a workaround. 

Please follow the below steps to disable the Windows File Browser under the Admin UI:

• Navigate to User > User Role > Click Default Option >> Click on General 
• Under the Access Feature, make sure the "Files, Window" options are not checked.
• Go to Users > User Roles
• Click on each role in turn and ensure under the Access Feature of each role, the File, Windows options are not enabled.