CVE-2021-22937: Remote Code Execution Patch Bypass in Pulse Connect Secure
Pulse Secure has patched CVE-2021-22937, a patch bypass for CVE-2020-8260, in its Connect Secure products.
Background
On August 2, Pulse Secure published an advisory and patches for several vulnerabilities, including CVE-2021-22937, a post-authentication remote code execution (RCE) vulnerability in Pulse Connect Secure virtual private network (VPN) appliances. Richard Warren with NCC Group has published a technical advisory for this flaw, explaining it is a patch bypass for CVE-2020-8260 which he disclosed in October 2020.
Analysis
CVE-2021-22937 is an uncontrolled archive extraction vulnerability in the Pulse Connect Secure appliance that allows an authenticated administrator to write arbitrary executable files to the "/home/runtime/tmp/tt/" directory. It received a CVSSv3 score of 9.1. This unrestricted file upload vulnerability is due to a flaw in the way that archive files are extracted in the administrator web interface. Successful exploitation would give attackers root privileges on the targeted appliance.
This vulnerability is a patch bypass for CVE-2020-8260 which Pulse Secure addressed in October 2020 with version 9.1R9. The vulnerability received a CVSSv3 score of 7.2 and has been actively targeted by attackers. Adjusting the available proof-of-concept (PoC) for CVE-2020-8260 to exploit CVE-2021-22937 is trivial, as Warren explains in his advisory. Pulse Secure added validation to ensure archives only contain “expected files” to address CVE-2020-8260, but this validation does not apply to all archives, leaving an opening for attackers.
An attacker needs access to an administrator account to exploit this vulnerability which may normally lower the severity of a vulnerability like this. Given how simple it is to modify the exploit code for CVE-2020-8260, we expect to see attackers adopt CVE-2021-22937 quickly.
Proof of concept
While there is no direct PoC for CVE-2021-22937, Warren included a screenshot of the changes he made to his PoC for CVE-2020-8260 in his technical advisory for CVE-2021-22937, so we expect to see modified exploit scripts soon.
Solution
Pulse Secure released PCS 9.1R12 to address this and several other vulnerabilities. VPNs in general and Pulse Secure specifically have been persistently targeted by attackers. If your organization deploys these devices, we recommend updating as soon as possible.
Identifying affected systems
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
Get more information
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
Related Articles
Secure Your Sprawling Attack Surface With Risk-based Vulnerability Management
August 27, 2024The cloud, artificial intelligence (AI), machine learning and other technological breakthroughs are radically changing the modern work environment. New assets and services offer increased flexibility, growth potential and access to more resources. However, they also introduce new security risks. Managing vulnerabilities across this ever-expanding threat landscape requires a risk-based approach beyond point solutions and reactive patch management.
CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
August 14, 2024Ivanti released a patch for a critical severity authentication bypass vulnerability and a warning that exploit code is publicly available
CVE-2024-20419: Cisco Smart Software Manager On-Prem Password Change Vulnerability
August 9, 2024Critical vulnerability in Cisco Smart Software Manager On-Prem exposes systems to unauthorized password changes, exploit code now available.BackgroundOn July 17, 2024, Cisco published an advisory for ...
CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package
September 16, 2024Tenable Research discovered a remote code execution (RCE) vulnerability in Google Cloud Platform (GCP) that is now fixed and that we dubbed CloudImposer. The vulnerability could have allowed an attacker to hijack an internal software dependency that Google pre-installs on each Google Cloud Composer pipeline-orchestration tool. Tenable Research also found risky guidance in GCP documentation that customers should be aware of.
Cybersecurity Snapshot: Russia-backed Hackers Aim at Critical Infrastructure Orgs, as Crypto Fraud Balloons
September 13, 2024Critical infrastructure operators must beware of Russian military hacking groups. Plus, cyber scammers are having a field day with crypto fraud. Meanwhile, AI and cloud vendors face stricter reporting regulations in the U.S. And get the latest on AI-model risk management and on cybersecurity understaffing!
Microsoft’s September 2024 Patch Tuesday Addresses 79 CVEs (CVE-2024-43491)
September 10, 2024Microsoft addresses 79 CVEs with seven critical vulnerabilities and four zero-day vulnerabilities, including three that were exploited in the wild.
- Vulnerability Management