A high severity vulnerability, tracked as CVE-2021-22908, was discovered under Pulse Connect Secure (PCS). Ivanti, the company behind Pulse Secure VPN appliances, released a security advisory for this vulnerability. The flaw may allow an authenticated remote attacker to execute arbitrary code as the root user.
Mitigated by importing the Workaround-2105.xml file
The flaw has a CVSS score of 8.5 out of a maximum of 10 and impacts Pulse Connect Secure versions 9.0Rx and 9.1Rx. The company recommended customers upgrade to PCS Server version 9.1R.11.5 when it becomes available.
CVE-2021-22908 can be mitigated by importing the Workaround-2105.xml file. Customers can download and import the file under the following location:
- Go to Maintenance > Import/Export > Import XML. Import the file.
This disables the Windows File Share browser functionality. You can disable the Windows File Browser on the Admin UI following the steps below:
- Navigate to User > User Role > Click Default Option >> Click on General
- Under the Access Feature, make sure the “Files, Window” options are not checked.
- Go to Users > User Roles
- Click on each role in turn and ensure under the Access Feature of each role, the File, Windows options are not enabled.