External risk intelligence

Pulse Connect Secure Code Execution Vulnerability.

CVE advisoryKnown Exploit

CVE-2021-22899

A command injection vulnerability in Ivanti Pulse Connect Secure allows authenticated attackers to execute remote code. This presents a significant risk to organizations using affected systems, potentially leading to business disruption and data compromise.

5Halo Surface Signal

Command Injection

Ivanti Connect Secure

9.09.1

External exposure likelihood

Halo Surface Signal score for CVE-2021-22899

Pulse Connect Secure is a widely deployed enterprise VPN gateway designed specifically to be public-facing to provide remote access. As an edge device, it is commonly positioned at the network perimeter, making its management and user-facing services reachable from the internet by design.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A command injection vulnerability has been identified in Ivanti Pulse Connect Secure. This flaw allows an authenticated attacker to execute arbitrary code on affected systems. Such a compromise could lead to a significant disruption of business operations and potential data breaches.

  • Pulse Connect Secure feature
  • Command injection flaw
  • Remote code execution

Attack Path

How an attacker could exploit the issue

A command injection vulnerability in Pulse Connect Secure allows attackers to execute remote code. This occurs when an authenticated attacker leverages the Windows Resource Profiles feature. The exploit enables an attacker to gain control over affected systems.

  • Accessible externally
  • Authenticated attacker
  • Command injection leads to control

Live Threat

Current exploitation, exposure, and threat context

A command injection vulnerability in Pulse Connect Secure allows remote code execution by authenticated attackers. This vulnerability, present before version 9.1R11.4, could enable unauthorized system control. The potential for widespread impact makes this a significant concern for organizations utilizing this product.

  • Likely attacker skill level: Low
  • Required access or conditions: Authenticated access
  • Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A command injection vulnerability in Ivanti Pulse Connect Secure allows authenticated attackers to execute remote code. This poses a significant business risk to organizations utilizing affected versions. Addressing this requires a structured approach to identify, mitigate, and validate the security posture.

  • Find vulnerable Pulse Secure assets.
  • Reduce exposure or isolate affected systems.
  • Apply vendor fixes and verify.
  • Monitor for related activity.

Frequently asked questions

What is Ivanti Connect Secure and its role in network security?

Ivanti Connect Secure is an enterprise VPN gateway designed to provide secure remote access to company networks. It enables employees to connect to internal resources as if they were physically present, thereby supporting remote work and business continuity.

How does the CVE-2021-22899 vulnerability function?

This vulnerability is classified as CWE-77, a command injection flaw. It permits an authenticated attacker to execute arbitrary code on the affected system by exploiting the Windows Resource Profiles feature. This can lead to a complete compromise of the system's confidentiality, integrity, and availability.

What specific feature is exploited in CVE-2021-22899?

The CVE-2021-22899 vulnerability is exploited through the Windows Resource Profiles feature within Ivanti Connect Secure. An authenticated attacker can manipulate this feature to inject and execute commands on the underlying operating system.

What is the practical impact of CVE-2021-22899 on an organization?

This vulnerability poses a significant business risk, as it allows for remote code execution by authenticated attackers. Successful exploitation can lead to unauthorized system control, data breaches, and disruption of business operations. CISA has listed this CVE in its Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.

What steps should be taken to address CVE-2021-22899?

Organizations should immediately upgrade Ivanti Connect Secure to version 9.1R11.4 or later. It is also recommended to review and enforce the principle of least privilege for user accounts accessing the Windows Resource Profiles feature, audit recent configuration changes, and potentially use tools like the Pulse Secure Integrity Checker Tool to detect compromise.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified