Pulse Connect SecureÔ¶³Ì´úÂëÖ´ÐÐÎó²î£¨CVE-2021-22893£©

Ðû²¼Ê±¼ä 2021-04-21

0x00 Îó²î¸ÅÊö

CVE  ID

CVE-2021-22893

ʱ   ¼ä

2021-04-21

Àà   ÐÍ

RCE

µÈ   ¼¶

ÑÏÖØ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£

 9.0R3<= PCS <9.1R.11.4

PoC/EXP


ÔÚҰʹÓÃ

ÊÇ

 

0x01 Îó²îÏêÇé

image.png

 

2021Äê04ÔÂ20ÈÕ£¬£¬£¬£¬£¬£¬£¬PulseSecureÐû²¼Ç徲ͨ¸æ£¬£¬£¬£¬£¬£¬£¬¹ûÕæÁËPulse Connect Secure£¨PCS£©ÖеÄÒ»¸öÉí·ÝÑéÖ¤ÈƹýÎó²î£¨CVE-2021-22893£©£¬£¬£¬£¬£¬£¬£¬¸ÃÎó²îµÄCVSSv3»ù±¾µÃ·ÖΪ10.0·Ö¡£¡£¡£Ô¶³Ì¹¥»÷¿ÉÒÔͨ¹ýʹÓôËÎó²îÔÚPulse Connect SecureÍø¹ØÉÏÖ´ÐÐí§Òâ´úÂ룬£¬£¬£¬£¬£¬£¬ÇÒ¸ÃÎó²îÎÞÐè¾­ÓÉÉí·ÝÑéÖ¤¼´¿ÉʹÓᣡ£¡£

ÏÖÔÚ¸ÃÎó²îÔÚÕë¶ÔÈ«Çò×éÖ¯µÄ¹¥»÷ÖÐÒѱ»Æð¾¢Ê¹Ó㬣¬£¬£¬£¬£¬£¬¹¥»÷Õßͨ¹ý½«WebShell°²ÅÅÔÚPulse Connect Secure×°±¸ÉÏ£¬£¬£¬£¬£¬£¬£¬ÒÔʵÏÖ½øÒ»²½µÄ»á¼ûºÍ³¤ÆÚÐÔ¡£¡£¡£ÒÑÖªµÄWebshell¾ßÓаüÀ¨Éí·ÝÑéÖ¤Èƹý¡¢¶àÒòËØÉí·ÝÑéÖ¤Èƹý¡¢ÃÜÂë¼Í¼ºÍ³¤ÆÚÐԵȶàÖÖ¹¦Ð§¡£¡£¡£

 

0x02 ´¦Öóͷ£½¨Òé

ÏÖÔÚPulseSecureÔÚPCS 9.1R.11.4°æ±¾ÖÐÐÞ¸´ÁË´ËÎó²î£¬£¬£¬£¬£¬£¬£¬¸ÃÎó²îµÄÇå¾²¸üÐÂÔ¤¼Æ½«ÓÚ5Ô³õÐû²¼£¬£¬£¬£¬£¬£¬£¬½¨ÒéʵʱÉý¼¶ÖÁ×îа汾¡£¡£¡£±ðµÄ£¬£¬£¬£¬£¬£¬£¬Pulse Secure»¹Ðû²¼ÁËPulse ConnectÇå¾²ÍêÕûÐÔ¹¤¾ß£¬£¬£¬£¬£¬£¬£¬ÒÔ×ÊÖú¿Í»§È·¶¨ÆäϵͳÊÇ·ñÊܵ½Ó°Ïì¡£¡£¡£

»º½â²½·¥

ͨ¹ýµ¼ÈëWorkaround-2104.xmlÎļþ¿ÉÒÔ»º½âCVE-2021-22893£¬£¬£¬£¬£¬£¬£¬µ«¸ÃÎļþ»á½ûÓÃWindows File Share BrowserºÍPulse Secure Collaboration¹¦Ð§¡£¡£¡£

 

ÏÂÔØÁ´½Ó£º

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784

 

0x03 ²Î¿¼Á´½Ó

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755

https://us-cert.cisa.gov/ncas/alerts/aa21-110a

https://www.bleepingcomputer.com/news/security/pulse-secure-vpn-zero-day-used-to-hack-defense-firms-govt-orgs/

 

0x04 ʱ¼äÏß

2021-04-20  PluseSecureÐû²¼Ç徲ͨ¸æ

2021-04-21  VSRCÐû²¼Ç徲ͨ¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö±ê×¼¹ÙÍø£ºhttp://www.first.org/cvss/

image.png