A critical zero-day vulnerability has been identified in Pulse Secure VPN appliances that is being actively exploited by a Chinese advanced persistent threat group. The vulnerability is being chained with previously disclosed Pulse Secure Connect vulnerabilities to gain persistent access to vulnerable appliances and achieve lateral movement within victims’ networks. Targeted organizations include government agencies, defense, critical infrastructure, and financial institutions.
Ivanti, which acquired Pulse Secure in 2020, issued an out-of-cycle security alert about the new vulnerability on April 20, 2021 and reports the flaws affects PCS 9.0R3 and later. The vulnerability, tracked as CVE-2021-22893, is an authentication bypass flaw that can be exploited by a remote unauthenticated attacker to execute arbitrary code in the Pulse Connect Secure Gateway and gain persistent access. The flaw has been assigned the maximum CVSS v3 score of 10/10.
The vulnerability is being chained with the previously disclosed Pulse Secure VPN vulnerabilities – CVE-2019-11510, CVE-2020-8260 and CVE-2020-8243. Patches have been available for some time to correct these three flaws, yet many entities have not applied the patches and are vulnerable, even though there have been numerous security alerts about active exploitation of the flaws issued over the past few months.
A patch has not yet been released to fix the CVE-2021-22893 zero-day and Ivanti does not expect to release a patch until early May. In the meantime, mitigations have been developed by the Pulse Connect Secure team that will prevent exploitation.
“The new issue, discovered this month, impacted a very limited number of customers. The team worked quickly to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system,” said Ivanti Chief Security Officer.
Until the patch is released, all users of the vulnerable Pulse Connect Secure appliances should apply the mitigations offered by Ivanti. This involves importing an xml file to the appliances that will disable the Windows File Share Browser and Pulse Secure Collaboration Pulse Connect Secure features – Details and the xml file are available on this link.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a security advisory about the flaw along with an emergency directive requiring all federal agencies to apply the mitigations by Friday.
“CISA is aware of compromises affecting U.S. government agencies, critical infrastructure entities, and other private sector organizations by a cyber threat actor—or actors—beginning in June 2020 or earlier related vulnerabilities in certain Ivanti Pulse Connect Secure products,” explained CISA in the alert.
Patching the vulnerabilities and implementing the mitigations are not sufficient in themselves. If the flaws have already been exploited, the patches and mitigations will not prevent further unauthorized access. The attackers have exploited the flaws to install a web shell that will allow persistent access even after the appliances have been patched. Attackers can bypass authentication and multi-factor authentication, log passwords, and achieve lateral movement after exploiting the flaw.
In addition to patching and applying the mitigations, it is imperative for the Pulse Connect Secure Integrity Tool to be deployed and run to identify malicious activity related to the exploitation of the flaws. Many entities have confirmed after patching the vulnerabilities had previously been exploited after they ran the Pulse Connect Secure Integrity Tool. CISA requires all federal agencies to deploy and run the integrity tool by Friday and investigate any malicious activity.