Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

CVE-2021-22937: Remote Code Execution Patch Bypass in Pulse Connect Secure

CVE-2021-22937: Remote Code Execution Patch Bypass in Pulse Connect Secure

Pulse Secure has patched CVE-2021-22937, a patch bypass for CVE-2020-8260, in its Connect Secure products.

Background

On August 2, Pulse Secure published an advisory and patches for several vulnerabilities, including CVE-2021-22937, a post-authentication remote code execution (RCE) vulnerability in Pulse Connect Secure virtual private network (VPN) appliances. Richard Warren with NCC Group has published a technical advisory for this flaw, explaining it is a patch bypass for CVE-2020-8260 which he disclosed in October 2020.

Analysis

CVE-2021-22937 is an uncontrolled archive extraction vulnerability in the Pulse Connect Secure appliance that allows an authenticated administrator to write arbitrary executable files to the "/home/runtime/tmp/tt/" directory. It received a CVSSv3 score of 9.1. This unrestricted file upload vulnerability is due to a flaw in the way that archive files are extracted in the administrator web interface. Successful exploitation would give attackers root privileges on the targeted appliance.

This vulnerability is a patch bypass for CVE-2020-8260 which Pulse Secure addressed in October 2020 with version 9.1R9. The vulnerability received a CVSSv3 score of 7.2 and has been actively targeted by attackers. Adjusting the available proof-of-concept (PoC) for CVE-2020-8260 to exploit CVE-2021-22937 is trivial, as Warren explains in his advisory. Pulse Secure added validation to ensure archives only contain “expected files” to address CVE-2020-8260, but this validation does not apply to all archives, leaving an opening for attackers.

An attacker needs access to an administrator account to exploit this vulnerability which may normally lower the severity of a vulnerability like this. Given how simple it is to modify the exploit code for CVE-2020-8260, we expect to see attackers adopt CVE-2021-22937 quickly.

Proof of concept

While there is no direct PoC for CVE-2021-22937, Warren included a screenshot of the changes he made to his PoC for CVE-2020-8260 in his technical advisory for CVE-2021-22937, so we expect to see modified exploit scripts soon.

Solution

Pulse Secure released PCS 9.1R12 to address this and several other vulnerabilities. VPNs in general and Pulse Secure specifically have been persistently targeted by attackers. If your organization deploys these devices, we recommend updating as soon as possible.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.