Pulse Secure announced that a critical vulnerability (CVE-2021-22893) was discovered in their VPN service "Pulse Secure Connect" in a recent security advisory.

The advisory states that, "a vulnerability was discovered under Pulse Connect Secure (PCS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment."

The company released a blog post alongside this advisory disclosing that the vulnerability has been exploited in the wild. According to the blog post, several other previously known vulnerabilities were exploited during these incidents:

  • CVE-2019-11510
  • CVE-2020-8243
  • CVE-2020-8260 The U.S. Cybersecurity and Infrastructure Security Agency also also released an alert warning of these vulnerabilities. In the alert, CISA notes that networks belonging to multiple government agencies, critical infrastructure entities and private sector organizations have been compromised going as far back as June 2020.

VPN vulnerabilities of this nature are exploited by a wide variety of threat actors, including ransomware groups and potentially state-sponsored actors. In one of our previous blog posts, we cover an advisory by the U.S. National Security Agency that outlines several vulnerabilities that the Russian Foreign Intelligence Services (SVR) exploited in the wild. One of the CVEs discussed in the advisory is CVE-2019-11510, which was also leveraged in the Pulse Connect attacks described above.

Mitigation

Pulse Connect has released a tool for checking the integrity of the PCS software. Cisco Talos also recommends updating to the most recent version of Pulse Connect Secure as soon as possible, as the previously known vulnerabilities (CVE-2019-11510, CVE-2020-8243, CVE-2020-8260) have been fixed in patches released by Pulse Secure. However, the most recent vulnerability, CVE-2021-22893, has not yet been patched, according to Pulse Secure. A patch is expected to be released in May.

The U.S. Department of Homeland Security has also released an Emergency Directive detailing the incident and required actions for mitigation.

While Cisco Talos is continually monitoring this threat as it develops and adding coverage as new information emerges, we strongly urge to employ the mitigation techniques provided by CISA and Pulse Connect.

The links to mitigations and advisories from this article are listed below:

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. Please note that some of these vulnerabilities exploit applications leveraging SSL. This means that users should enable SSL decryption in Cisco Secure Firewall and Snort to detect exploitation of these vulnerabilities. For some examples of this, see how it can be done to protect against exploits associated with Bluekeep and Hafnium.

Snort Rules: 51288, 51289, 51390, 57452-57459, and 57461-57468