CVE-2021-22937: Remote Code Execution Patch Bypass in Pulse Connect Secure
Pulse Secure has patched CVE-2021-22937, a patch bypass for CVE-2020-8260, in its Connect Secure products.
Background
On August 2, Pulse Secure published an advisory and patches for several vulnerabilities, including CVE-2021-22937, a post-authentication remote code execution (RCE) vulnerability in Pulse Connect Secure virtual private network (VPN) appliances. Richard Warren with NCC Group has published a technical advisory for this flaw, explaining it is a patch bypass for CVE-2020-8260 which he disclosed in October 2020.
Analysis
CVE-2021-22937 is an uncontrolled archive extraction vulnerability in the Pulse Connect Secure appliance that allows an authenticated administrator to write arbitrary executable files to the "/home/runtime/tmp/tt/" directory. It received a CVSSv3 score of 9.1. This unrestricted file upload vulnerability is due to a flaw in the way that archive files are extracted in the administrator web interface. Successful exploitation would give attackers root privileges on the targeted appliance.
This vulnerability is a patch bypass for CVE-2020-8260 which Pulse Secure addressed in October 2020 with version 9.1R9. The vulnerability received a CVSSv3 score of 7.2 and has been actively targeted by attackers. Adjusting the available proof-of-concept (PoC) for CVE-2020-8260 to exploit CVE-2021-22937 is trivial, as Warren explains in his advisory. Pulse Secure added validation to ensure archives only contain “expected files” to address CVE-2020-8260, but this validation does not apply to all archives, leaving an opening for attackers.
An attacker needs access to an administrator account to exploit this vulnerability which may normally lower the severity of a vulnerability like this. Given how simple it is to modify the exploit code for CVE-2020-8260, we expect to see attackers adopt CVE-2021-22937 quickly.
Proof of concept
While there is no direct PoC for CVE-2021-22937, Warren included a screenshot of the changes he made to his PoC for CVE-2020-8260 in his technical advisory for CVE-2021-22937, so we expect to see modified exploit scripts soon.
Solution
Pulse Secure released PCS 9.1R12 to address this and several other vulnerabilities. VPNs in general and Pulse Secure specifically have been persistently targeted by attackers. If your organization deploys these devices, we recommend updating as soon as possible.
Identifying affected systems
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
Get more information
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
Related Articles
- Vulnerability Management