CVE-2021-22893: 
Ivanti Connect Secure vulnerability analysis and mitigation

CVE-2021-22893 is a critical authentication bypass vulnerability discovered in April 2021 affecting Pulse Connect Secure (PCS) versions 9.0R3/9.1R1 and higher. The vulnerability exists in the Windows File Share Browser and Pulse Secure Collaboration features, allowing an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been actively exploited in the wild (Pulse Security Blog, CERT VU).

The vulnerability is a use-after-free issue that can be triggered via a license server handling endpoint, allowing remote, unauthenticated attackers to execute arbitrary code with root privileges. The vulnerability carries a CVSSv3 base score of 10.0 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. Notably, having the license server configuration enabled is not a prerequisite for exploitation, as the vulnerable endpoints are present regardless of whether the system is an actual license server (CERT VU).

The exploitation of this vulnerability allows attackers to execute arbitrary code on the gateway with root privileges. Attackers can bypass both single and multi-factor authentication on Pulse Secure VPN devices, establish persistence across updates, and maintain access through webshells. The vulnerability has been particularly impactful for defense, government, and financial organizations worldwide (FireEye Blog).

Pulse Secure released temporary mitigations through an XML file (Workaround-2104.xml) that blocks access to the Windows File Share Browser and Pulse Secure Collaboration features. The workaround blocks specific URI patterns including ^/+dana/+meeting, ^/+dana/+fb/+smb, ^/+dana-cached/+fb/+smb, ^/+dana-ws/+namedusers, and ^/+dana-ws/+metric. Organizations are advised to use the Pulse Connect Secure Integrity Tool to verify system integrity and reset all passwords in the environment. A permanent fix was scheduled for release in early May 2021 (Pulse Security Blog, CERT VU).

The discovery of this vulnerability prompted immediate response from the cybersecurity community. FireEye's detailed analysis revealed the sophisticated nature of the attacks and their potential attribution to state-sponsored actors. The incident highlighted the ongoing targeting of VPN devices by advanced persistent threat (APT) groups, particularly those targeting defense and government organizations (FireEye Blog, Rapid7 Blog).