CVE-2021-22937 Detection: Patch Bypass Vulnerability in Pulse Connect Secure

Ivanti has addressed a critical security hole (CVE-2021-22937) that affects its Pulse Connect Secure VPNs. The flaw is a bypass of the patch issued in October last year to mitigate the CVE-2020-8260, a notorious bug that allows malicious admins to execute arbitrary code remotely with root privileges.

CVE-2021-22937 Description

According to the in-depth inquiry by NCC Group, CVE-2021-22937 is a patch bypass for a high-severity flaw addressed in autumn 2020. The initial security hole (CVE-2020-8260) stems from the uncontrolled gzip extraction issue present within Pulse Connect Secure interface. The misconfiguration enables adversaries to encrypt and decrypt maliciously crafted archives with a hardcoded key, import such archives via admin GUI, and perform arbitrary file overwrite that results in remote code execution (RCE).

To prevent CVE-2020-8260 attacks, the vendor introduced validation to the extracted files. However, it is not applicable for “profiler” type archives. Consequently, a slight modification of the original CVE-2020-8260 exploit enables overcoming the protections and leveraging the older RCE bug for attacks in the wild.

Successful CVE-2021-22937 exploitation empowers authenticated adversaries with admin rights to modify the filesystem, introduce a persistent backdoor, steal login details, compromise VPN clients, and more.

Although currently there is no direct proof-of-concept (PoC) for CVE-2021-22937, the analysis by NCC Group provides several screenshots of the modifications to the CVE-2020-8260 PoC. For this reason, experts believe that an avalanche of modified exploits will break forth in the nearest future.

CVE-2021-22937 Detection

According to the advisory issued by Ivanti last week, CVE-2021-22937 impacts all Pulse Connect Secure versions before 9.1R12. The admins are urged to upgrade to the latest version ASAP to block possible exploitation attempts.

To assist security practitioners in spotting possible attacks against the enterprise infrastructure, SOC Prime has released a free hunting rule for CVE-2021-22937 detection.

Possible Pulse Secure VPN Backup Config Manipulations for RCE Vulnerability Exploitation [CVE-2020-8260/CVE-2021-22937]

This rule helps to identify any backup config manipulations/operations that indicate possible exploitation attempts for CVE-2021-22937. 

SIEM & SECURITY ANALYTICS: Azure Sentinel, ELK Stack, Chronicle Security, Splunk, Sumo Logic, ArcSight, QRadar, Humio, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Apache Kafka ksqlDB, Securonix

The rule is mapped to MITRE ATT&CK® Framework addressing the Initial Access tactics and the Exploit Public-Facing Application technique (T1190). The detection content is available in Threat Detection Marketplace for free upon registration.

Get a free subscription to Threat Detection Marketplace to boost your cyber defense capabilities! Our SOC content library aggregates over 100K detection and response algorithms mapped directly to CVE and MITRE ATT&CK® frameworks so you can withstand the notorious cyber-attacks at the earliest stages of intrusion. Eager to craft your own detections? Join our Threat Bounty program for a safer future!

Go to Platform Join Threat Bounty