CVE-2021-22937: 
Ivanti Connect Secure vulnerability analysis and mitigation

CVE-2021-22937 is a critical vulnerability discovered in Pulse Connect Secure VPN appliances before version 9.1R12. The vulnerability allows an authenticated administrator to perform a file write via a maliciously crafted archive uploaded in the administrator web interface. This flaw was identified as a patch bypass for the previously discovered CVE-2020-8260, which was patched in October 2020 (Tenable Blog, SecurityWeek).

The vulnerability is an uncontrolled archive extraction flaw that received a CVSS v3.1 base score of 9.1. The issue stems from improper validation of archive files in the administrator web interface. While the original patch for CVE-2020-8260 added validation to ensure archives only contain 'expected files', this validation did not apply to all archive types, specifically the 'profiler' type, leaving a security gap. The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD, Tenable Blog).

Successful exploitation of this vulnerability results in Remote Code Execution (RCE) on the underlying Operating System with root privileges. An attacker with such access can circumvent web application restrictions, remount the filesystem, create persistent backdoors, extract and decrypt credentials, compromise VPN clients, or pivot into the internal network (Tenable Blog, Help Net Security).

Ivanti released Pulse Connect Secure version 9.1R12 to address this vulnerability. The update not only patches CVE-2021-22937 but also includes enhanced features such as the incorporation of the Pulse Security Integrity Checker Tool directly into the product. Organizations are strongly advised to upgrade their installations to this version as soon as possible (Help Net Security).