A critical post-authentication remote code execution (RCE) vulnerability has resurfaced in Pulse Secure’s Connect Secure virtual private network (VPN) appliances. The flaw, tracked as CVE-2021-22937, allows an attacker to overwrite files, leading to remote code execution with root privileges.
This vulnerability is a bypass of a previous patch for CVE-2020-8260, which was exploited by threat actors earlier this year to infiltrate defense, government, and financial entities. The attackers targeted Pulse Secure flaws to circumvent multi-factor authentication protections and breach enterprise networks.
The company behind Pulse Secure, Ivanti, has released a fix in the form of Pulse Connect Secure (PCS) version 9.1R12. Users are strongly advised to update immediately to prevent any potential exploitation attempts.
Daniel Spicer, Ivanti’s vice president of security, emphasized that they are taking rigorous measures to enhance security and protect customers. A comprehensive code review and expanded internal product security resources are part of their efforts to fortify their defenses.
The vulnerability arises from an incomplete patch in the way archive files (.TAR) are extracted in the administrator web interface. Although measures were taken to validate extracted files and prevent exploitation of CVE-2020-8260, further analysis revealed that attackers could manipulate the archive type to bypass the patch and execute code.
In response to the situation, Pulse Secure addressed this new vulnerability, separate from CVE-2020-8260, with a dedicated CVE assignment.
Given the potential real-world risks of exploitation, it’s crucial for users to upgrade to Pulse Connect Secure (PCS) 9.1R12 or newer versions as soon as possible to ensure a secure VPN environment. With these measures in place, customers can stay one step ahead of potential threats and keep their networks protected.