Executive Summary
Summary | |
---|---|
Title | Pulse Connect Secure contains a use-after-free vulnerability |
Informations | |||
---|---|---|---|
Name | VU#213092 | First vendor Publication | 2021-04-20 |
Vendor | VU-CERT | Last vendor Modification | 2021-05-19 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | |||
---|---|---|---|
Overall CVSS Score | 10 | ||
Base Score | 10 | Environmental Score | 10 |
impact SubScore | 6 | Temporal Score | 10 |
Exploitabality Sub Score | 3.9 | ||
Attack Vector | Network | Attack Complexity | Low |
Privileges Required | None | User Interaction | None |
Scope | Changed | Confidentiality Impact | High |
Integrity Impact | High | Availability Impact | High |
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
OverviewPulse Connect Secure (PCS) gateway contains a use-after-free vulnerability that can allow an unauthenticated remote attacker to execute arbitrary code. DescriptionCVE-2021-22893 A use-after-free vulnerability that can be reached via a license server handling endpoint may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable Pulse Connect Secure gateway system. Every system that is running PCS 9.0R3 or higher or 9.1R1 through 9.2R11.3 is affected. Having the license server configuration enabled is NOT a prerequisite to being vulnerable. The vulnerable endpoints are present regardless of whether the system is an actual license server or not. This vulnerability is being exploited in the wild. ImpactBy making a crafted request to a vulnerable Pulse Connect Secure system, an unauthenticated remote attacker may be able to execute arbitrary code on the gateway with root privileges. SolutionApply an updateThis vulnerability and others are addressed in Pulse Connect Secure 9.1R11.4. Apply a workaroundIf you are not using the features that the following workaround disables, we recommend applying the XML workaround even on systems that have been upgraded to 9.1R11.4 to reduce attack surface. Pulse Secure has published a Workaround-2104.xml file that contains mitigations to protect against this and other vulnerabilities. Importing this XML workaround will activate the protections immediately and does not require any downtime for the VPN system. This workaround will block requests that match the following URI patterns:
Note that installing this workaround will block the ability to use the following features:
Instead of using the workaround to protect a PCS that is being used as a license server, we recommend updating such systems to PCS 9.1R11.4. If this is not possible, restrict which IP addresses are allowed to communicate with the system. Run the PCS Integrity Assurance utilityA PCS administrator should run the PCS Integrity Assurance utility to help determine if a system has evidence that it has been compromised. Please be aware of two limitations of this tool:
Enable Unauthenticated Request loggingBy default, PCS devices do not log unauthenticated web requests. Additionally, the administrative interface for a PCS device will warn that: Selecting this can quickly fill up User access log space in case of attack. Because this vulnerability is exploitable via an unauthenticated request to the PCS, evidence of exploitation may only be present if the "Unauthenticated Requests" logging option is enabled. Enable this feature in the PCS administrative web interface by visiting: System -> Log/Monitoring -> User Access -> Settings and enabling the "Unauthenticated Requests" option. Enable remote loggingAttackers who have compromised a PCS device may delete on-device logs in the process. For this reason, configure a remote Syslog server to ensure that PCS log entries are not modified or deleted. AcknowledgementsThis vulnerability was publicly reported by Pulse Secure with additional details and context published by Fireye. This document was written by Chuck Yarbrough and Will Dormann. |
Original Source
Url : https://kb.cert.org/vuls/id/213092 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-416 | Use After Free |
CPE : Common Platform Enumeration
Alert History
Date | Informations |
---|---|
2021-09-23 17:17:46 |
|
2021-05-19 17:17:37 |
|
2021-05-08 00:17:35 |
|
2021-05-07 21:18:00 |
|
2021-05-06 21:17:58 |
|
2021-05-05 21:17:57 |
|
2021-04-21 17:17:17 |
|
2021-04-21 00:17:15 |
|