Pulse Secure Urges ‘Connect Secure’ VPN Users to Patch Immediately

  • Pulse Secure has discovered three more vulnerabilities in its VPN product, and patches are already out.
  • The vendor is also offering mitigation in the form of an XML configuration file, but it’s not the perfect solution.
  • Sophisticated threat actors will continue to target Pulse Secure products, so patching as soon as possible is critical.

Pulse Secure has released an out-of-cycle advisory to warn users of the need to patch their ‘Pulse Connect Secure’ product immediately, as the latest available update (version 9.1 R11.4) addresses three critical and one high-severity vulnerability. The flaws include problems like remote arbitrary file execution, buffer overflow leading to root-level RCEs, and unrestricted uploads from authenticated admins. The four flaws are tracked as CVE-2021-22893 (CVSS v3.1 score: 10), CVE-2021-22894 (CVSS v3.1 score: 9.9), CVE-2021-22899 (CVSS v3.1 score: 9.9), and CVE-2021-22900 (CVSS v3.1 score: 7.2).

According to the relevant advisory, the following product versions are affected:

  • PCS 9.0 R3/9.1 R1 and Higher – vulnerable to CVE-2021-22893
  • PCS: 9.1 Rx and 9.0 Rx – vulnerable to CVE-2021-22894
  • PCS: 9.1 Rx and 9.0 Rx – vulnerable to CVE-2021-22899
  • PCS: 9.1 Rx and 9.0 Rx – vulnerable to CVE-2021-22900

The recommendation is to move quickly to patch these flaws as the Pulse Connect Secure is a product that is constantly being under attack by sophisticated state-supported actors, among others. The Pulse Secure team worked closely with CISA (Cybersecurity and Infrastructure Security Agency) and FireEye to identify the flaws and responded with a roll-out of a fixing patch as soon as possible.

For those who cannot apply the patch for whatever reason, there’s a mitigation for CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, which can be implemented by importing the “Workaround-2104.xml” provided by the software vendor. This file disables the Windows File Share browser and the Pulse Secure Collaboration, so it won’t be of any use if you need these. Even if you implement the mitigation, you are still advised to move to 9.1 R11.4 as soon as this becomes possible.

Source: Pulse Secure

If you are running any version below 9.1 R9, the workaround XML won’t make any difference. In that case, Pulse Secure recommends upgrading to at least 9.1 R19, ideally to 9.1 R10. Finally, if you are using A/A or A/P Cluster, the cluster will sync the configuration of the XML between nodes, so there’s no need to import the file individually on each node.

In addition to patching or at least applying the suggested mitigation, Pulse Secure also urges users to deploy its ‘Integrity Checker Tool,’ which will provide an easy and automated way to figure out if there’s malicious activity on their systems. If you are using Pulse Secure products, make sure to check the vendor’s update portal regularly, as the game of cat and mouse between security researchers and malicious actors is not expected to end any time soon.

REVIEW OVERVIEW

Latest

How to Watch Washington Wizards Games Online Without Cable

The Washington Wizards have been the surprise package of the NBA season so far, exciting fans all over the world with their...

How to Watch Philadelphia 76ers vs. Boston Celtics: Live Stream, Start Time, TV Channel, Odds, Predictions

The NBA regular season continues on Wednesday evening, with the Boston Celtics hosting the Philadelphia 76ers at the world-famous TD Garden in...

How to Watch Sacramento Kings vs. Los Angeles Clippers: Live Stream, Start Time, TV Channel, Odds, Predictions

The Los Angeles Clippers will be looking to return to winning ways as they battle it out against the Sacramento Kings in...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari