External risk intelligence

Ivanti Pulse Connect Secure: Unrestricted File Upload Risk.

CVE advisoryKnown Exploit

CVE-2021-22900

A vulnerability in Ivanti Pulse Connect Secure allows authenticated administrators to perform unauthorized file writes via crafted archive uploads. This impacts system integrity and data, posing a business risk due to the nature of the affected external-facing product.

4Halo Surface Signal

Code Injection

Ivanti Connect Secure

9.09.19.1 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2021-22900

Pulse Connect Secure is an edge-facing VPN appliance designed to be accessible from the public internet. While this specific vulnerability requires administrator authentication, the management interface is a core component of this internet-facing gateway product, making the attack surface commonly reachable in real-world deployments.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Ivanti Pulse Connect Secure's administrator web interface allows authenticated administrators to upload crafted archives, potentially leading to unauthorized file writes on the system. This could enable attackers to compromise system integrity and access sensitive data. The affected systems are designed for secure external access, increasing the potential reach of such a compromise.

Vulnerable component: Pulse Connect Secure administrator interface
Core weakness: Unrestricted file upload capability
Main business impact: Unauthorized file writes and data compromise

Attack Path

How an attacker could exploit the issue

An authenticated administrator can exploit a vulnerability in the Pulse Connect Secure administrator web interface. This allows for unrestricted file uploads, enabling the attacker to write files to the system. The attack involves an authenticated administrator uploading a specially crafted archive.

Exposure condition: Administrator access to web interface.
Attacker starting point: Authenticated administrator account.
Trigger and result: Malicious archive upload, file write.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Pulse Connect Secure could allow an authenticated administrator to upload malicious files. An attacker with administrator access could exploit this to write files to the system, potentially leading to further compromise. The risk level is considered high due to the potential for significant impact.

Likely attacker skill level: Administrator
Required access or conditions: Authenticated administrator access
Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An organization should take immediate action to address a vulnerability in Ivanti Connect Secure. This issue allows an authenticated administrator to upload files, potentially leading to unauthorized file writes within the administrator web interface. Addressing this vulnerability is critical to prevent potential compromise of systems and data.

Identify all instances of Ivanti Connect Secure.
Restrict access to the administrator interface.
Apply vendor updates and verify remediation.

Frequently asked questions

What is Ivanti Pulse Connect Secure and what does it do?

Ivanti Pulse Connect Secure is a gateway product that provides secure remote access for organizations, allowing employees to connect to company networks from outside the office via VPN. It is designed to enable secure access to internal resources.

What type of vulnerability is CVE-2021-22900 and what is its weakness class?

CVE-2021-22900 is a high-severity vulnerability classified as an unrestricted file upload weakness (CWE-94, CWE-669). This allows an authenticated administrator to upload a specially crafted archive.

How can CVE-2021-22900 be triggered and what is the scope of the attack?

The vulnerability is triggered when an authenticated administrator uploads a specially crafted archive through the administrator web interface. This allows for an unauthorized file write to the system, impacting its integrity.

What is the relevance of CVE-2021-22900 based on the Halo Surface Signal?

The Halo Surface Signal indicates a 'Likely' risk for CVE-2021-22900. This is because Pulse Connect Secure is an edge-facing VPN appliance accessible from the public internet, and its management interface is a core component, making the attack surface commonly reachable in deployments.

What practical steps should an organization take regarding this vulnerability?

Organizations should identify all Ivanti Connect Secure instances, restrict access to the administrator interface, and promptly apply vendor updates. Verifying remediation is crucial to prevent potential system and data compromise.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.