Pulse Secure Urges ‘Connect Secure’ VPN Users to Patch Immediately

  • Pulse Secure has discovered three more vulnerabilities in its VPN product, and patches are already out.
  • The vendor is also offering mitigation in the form of an XML configuration file, but it’s not the perfect solution.
  • Sophisticated threat actors will continue to target Pulse Secure products, so patching as soon as possible is critical.

Pulse Secure has released an out-of-cycle advisory to warn users of the need to patch their ‘Pulse Connect Secure’ product immediately, as the latest available update (version 9.1 R11.4) addresses three critical and one high-severity vulnerability. The flaws include problems like remote arbitrary file execution, buffer overflow leading to root-level RCEs, and unrestricted uploads from authenticated admins. The four flaws are tracked as CVE-2021-22893 (CVSS v3.1 score: 10), CVE-2021-22894 (CVSS v3.1 score: 9.9), CVE-2021-22899 (CVSS v3.1 score: 9.9), and CVE-2021-22900 (CVSS v3.1 score: 7.2).

According to the relevant advisory, the following product versions are affected:

  • PCS 9.0 R3/9.1 R1 and Higher – vulnerable to CVE-2021-22893
  • PCS: 9.1 Rx and 9.0 Rx – vulnerable to CVE-2021-22894
  • PCS: 9.1 Rx and 9.0 Rx – vulnerable to CVE-2021-22899
  • PCS: 9.1 Rx and 9.0 Rx – vulnerable to CVE-2021-22900

The recommendation is to move quickly to patch these flaws as the Pulse Connect Secure is a product that is constantly being under attack by sophisticated state-supported actors, among others. The Pulse Secure team worked closely with CISA (Cybersecurity and Infrastructure Security Agency) and FireEye to identify the flaws and responded with a roll-out of a fixing patch as soon as possible.

For those who cannot apply the patch for whatever reason, there’s a mitigation for CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, which can be implemented by importing the “Workaround-2104.xml” provided by the software vendor. This file disables the Windows File Share browser and the Pulse Secure Collaboration, so it won’t be of any use if you need these. Even if you implement the mitigation, you are still advised to move to 9.1 R11.4 as soon as this becomes possible.

Source: Pulse Secure

If you are running any version below 9.1 R9, the workaround XML won’t make any difference. In that case, Pulse Secure recommends upgrading to at least 9.1 R19, ideally to 9.1 R10. Finally, if you are using A/A or A/P Cluster, the cluster will sync the configuration of the XML between nodes, so there’s no need to import the file individually on each node.

In addition to patching or at least applying the suggested mitigation, Pulse Secure also urges users to deploy its ‘Integrity Checker Tool,’ which will provide an easy and automated way to figure out if there’s malicious activity on their systems. If you are using Pulse Secure products, make sure to check the vendor’s update portal regularly, as the game of cat and mouse between security researchers and malicious actors is not expected to end any time soon.

Latest
How to Watch Interior Design Masters Season 4 Online from Anywhere
Fans of this reality show, which offers ambitious designers a chance to demonstrate their abilities and pursue their dreams of becoming professional...
How to Watch Rock The Block Season 4 Online: Stream the Renovation Series from Anywhere
Rock the Block, the smash hit home remodeling contest series, is back for its most fantastic season ever! The new six-episode season...
How to Watch Spring Baking Championship Season 9 Online: Stream the Cooking Competition from Anywhere
There’s no better way to welcome spring with some freshly baked goods, and that’s precisely how we’ll usher in the good weather...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari