Pulse Connect Secure RCE Vulnerability (CVE-2021-22893)

On April 20, 2021, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) issued a Cyber Activity Alert (AA21-110A) and an Emergency Directive (21-03) regarding vulnerabilities in certain Ivanti Pulse Connect Secure products, which are widely used for virtual private network (VPN) remote access.  These vulnerabilities are currently being exploited and have affected government agencies, critical infrastructure entities, and other private sector organizations. 

As a result, Ivanti has released SA44784 - 2021-04: Out-of-Cycle Advisory: Pulse Connect Secure RCE Vulnerability (CVE-2021-22893) – A vulnerability was discovered under Pulse Connect Secure (PCS).  This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk.

MicroBilt is an Ivanti Pulse Connect Secure customer utilizing Pulse Connect Secure for VPN access. At the time of discovery, MicroBilt was running version 9.1R11.1, currently, we have upgraded to version 9.1R11.3 as advised by Ivanti in addition the below steps have been taken:

1. KB44755 - Pulse Connect Secure (PCS) Integrity Assurance tool was run on all nodes and NO newly detected files and NO mismatched files were present.
2. Disabled the Pulse Collaboration & Windows File Share browser functionality as advised in SA-44784
3. All nodes have been upgraded to v 9.1R11.3 as advised by Ivanti.
4. Unauthenticated request logging has been enabled.
5. Additional security configuration changes have been made to further monitor and prevent exploitation of the published vulnerabilities, these configuration changes are confidential and proprietary.

We have always maintained a quarterly update cycle for Pulse Secure and have maintained the latest available software throughout the lifecycle. As a result, we believe we have mitigated impacts from these published vulnerabilities since first introduced.