PDS Cyber Security Advisory:
Advisory Regarding Critical Vulnerability in Ivanti Pulse Connect Secure Software
Advisory Type: IT Security
Summary: PDS is providing the following communication to build awareness of a critical risk in Ivanti’s Pulse Connect Secure software.
On April 16, 2021 Ivanti released notice of an authentication bypass vulnerability which can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. The CVE 2021-22893 has been assigned a score of 10, the highest criticality on the scale. The notice is available here: Pulse_Security_Advisories-SA44784
Ivanti has updated their advisory (April 19) with a workaround while a patch is being developed.
The company also provided a software tool which users can run to validate the integrity of all Pulse Connect files in the gateway system and identify any additional and modified files. Details of the integrity validation tool are here: Pulse_Secure_Article-KB44755
We strongly advise customers using Ivanti Pulse Connect Secure gateways to review the advisories, run the validation tool and implement the workaround pending the issuance of a patch. PDS Architects are available to assist with the updates, your Account Director can assist in arranging support for this issue.