Overview

This is past serious vulnerability information published on April 21, 2021.

If you are using the corresponding version, please upgrade to the corrected OS as soon as possible.

Target vulnerability

An authentication bypass vulnerability (CVE-2021-22893) has been reported for Pulse Secure products.
CVSS Score (V3.1): 10 Critical AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
This vulnerability could allow an attacker to bypass PCS authentication and execute arbitrary code.

<Details of attack>

By using this vulnerability, attackers can embed arbitrary code inside PSA without an administrator account, set up a backdoor to allow external access to the company, leak confidential information, tamper with web pages, and run ransomware. It is possible to cause serious security incidents such as infecting internal machines with

Multiple attacks using this vulnerability have been confirmed in Japan at JPCERT/CC, and there is a possibility that attackers can expand the range of attacks against PCS that have not been countermeasured, so apply interim countermeasures or upgrade to a fixed OS. If you have not done so, please do so as soon as possible.
2022/6/9 *There have been multiple reports of PSA being hijacked by attackers after the provisional countermeasures were breached. Please upgrade to the modified OS as soon as possible.

In addition, the following CVE numbers have been assigned to related threats.

• CVE-2021-22894
  An authenticated user can execute arbitrary code by overflowing the Pulse Secure Collaboration feature.
• CVE-2021-22899
  Authenticated users can execute code through the Windows files feature.
• CVE-2021-22900
  Authorized administrators can perform file writes via archive upload.

Applicable version

CVE-2021-22893
9.0R3 or higher
9.1R1 or higher

CVE-2021-22894, CVE-2021-22899, CVE-2021-22900
9.0Rx
9.1Rx

Not applicable version

CVE-2021-22893
9.0R2 or less

CVE-2021-22894, CVE-2021-22899, CVE-2021-22900
8.3 Rx or less

Modified OS

9.1R11.4 or above

It can be downloaded from our download page.
After upgrading to 9.1R11.4 from any "non" version below, you will need to run the uninstall tool on your PC to uninstall various modules.
PCS9.1R11.3
PCS9.1R10.2
PCS9.1R9.2
PCS9.1R8.4
For details, see Technical Information > Restrictions > PCS 9.1R8 or later, an event that fails to access the PCS occurs.
Please confirm.
https://www1.macnica.net/CGI/product/support/contents/support_syousai.cgi?pro_ctgry_id=39&type=tech&issue_id=13613

*When applying the modified version, if the invalidation XML in the interim countermeasure method has been applied, it is necessary to apply the cancellation XML before or after upgrading to the modified version.
If you apply the unlock XML before upgrading, it will not be possible to prevent attacks from attackers until you upgrade, so applying it after upgrading is safe.
ps-pcs-sa-44784-remove-workaround-2104.xml

*Since the Windows File Share Browser function is disabled in the settings, there is no problem with the timing of re-enabling it.

* A support site account is required to download files.

Temporary countermeasure

2022/6/9※Temporary measures breachedPSAThere have been multiple reports of cases where is hijacked by attackers. fix it quicklyOSPlease upgrade to

1. Disabling the Pulse Secure Collaboration Feature
   There is no manual way to disable other than using XML.
   Please download the XML file that disables this function from the link below, check the application method and precautions, and apply it to PCS.
   
   XML file for disabling the Pulse Secure Collaboration feature:
   ps-pcs-sa-44784-workaround-2104.xml

   *Right-click the link to obtain it as an xml file and apply it to PCS.

   * A support site account is required to download files.

   • ·Method of applying
     XML settings can be applied by performing the following operations from the management screen.
     

     Maintenance > Import/Export > Import XML

     *For rollback of settings, it is recommended to save the settings in advance by following the steps below.
     Maintenance > Import/Export > Configuration > Save Config As
     Maintenance > Import/Export > User Accounts > Save Config As

     * If a load balancer is installed in front of the PCS and the following are not used, it may affect operation.
     round robin
     HealthCheck.cgi
     Advanced healthcheck.cgi
     If you are not using these, observe the progress after applying the XML and confirm that no abnormalities occur.

   *For 9.0R1 to 9.0R4.1 and 9.1R1 to 9.1R2, applying this XML does not disable the Pulse Secure Collaboration feature.

   *Since the PCS of the license server is not intended for user access, it is recommended to take measures such as limiting the IP addresses that can be connected to the PCS by using a separate firewall instead of applying XML.

   To unapply the XML, apply the following XML in the same way.
   ps-pcs-sa-44784-remove-workaround-2104.xml

   *When upgrading to a version with fixed vulnerabilities, apply this XML to restore the Pulse Secure Collaboration function to its normal state.

   * A support site account is required to download files.

2. Disabling the Windows File Share Browser feature
   Disable the function by unsetting (unchecking) the role.
   Users > User Roles > [Role Name] > General > Files, Windows
   
   By implementing the above, although it is not a complete countermeasure, it can be used as a mitigation measure against attacks that exploit vulnerabilities.
   
   In the latest update of manufacturer information, measures to restrict the following URIs using devices other than PCS were posted.
   ^/+dana/+meeting
   ^/+dana/+fb/+smb ^/+dana-cached/+fb/+smb
   ^/+dana-ws/+namedusers
   ^/+dana-ws/+metric

   * It is necessary to perform SSL offloading for implementation,
   Communication may become unstable due to VPN Tunneling, etc., so we recommend conducting sufficient verification when considering it.

supplement

Since the latest information will be updated in the following manufacturer's article,
Please check it regularly.
SA44784
*We will check the article and update this article as soon as there are any changes.

Since it is possible to guess the attack method for the details of the vulnerability,
Even if you contact us, we cannot answer anything other than the manufacturer's public information.
Please note.