News

VPN Vulnerability Found in Ivanti's Pulse Connect Secure

• By Kurt Mackie
• 04/29/2021

Ivanti recently issued a warning about a new security vulnerability in its Pulse Connect Secure VPN appliances that enables "an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway."

The new vulnerability (CVE-2021-22893) was explained in Pulse Secure's Security Advisory SA44784. This vulnerability is rated "10" (out of 10 in severity) on the Common Vulnerability Scoring System scale.

Pulse Secure is promising that a patch for CVE-2021-22893 will be available "in early May." It has already worked "to provide mitigations directly to the limited number of impacted customers."

The Pulse Connect Secure product is also under attack from older vulnerabilities that were issued patches at least a year ago, including CVE-2019-11510, CVE-2020-8260, and CVE-2020-8243. The 2019 vulnerability within that bunch apparently is still widely unpatched, based on an alert that was issued recently by three U.S. agencies.

CISA Alert
The announcement by Pulse Secure coincided with an alert issued by the U.S. Cybersecurity and Information Security Agency, which noted the new vulnerability. All four vulnerabilities (old and new) are being leveraged by an attacker to "place webshells on the Pulse Connect Secure appliance for further access and persistence," CISA noted:

The cyber threat actor is using exploited devices located on residential IP space -- including publicly facing Network Attached Storage (NAS) devices and small home business routers from multiple vendors -- to proxy their connection to interact with the webshells they placed on these devices. These devices, which the threat actor is using to proxy the connection, correlate with the country of the victim and allow the actor activity to blend in with normal telework user activity.

FireEye Investigation
Ivanti Pulse Secure is working with FireEye's Mandiant security team on investigating the attacks associated with vulnerability CVE-2021-22893.

FireEye published its partial findings, as described in this announcement. FireEye is attributing the attacks using CVE-2021-22893 to the advanced persistent threat group "UNC2630," which is suspected as operating "on behalf of the Chinese government." Another advanced persistent threat group, "UNC2717," also is involved in the attacks, but FireEye can't attribute government sponsorship.

Pulse Connect Secure users should run a utility provided by Pulse Secure to check the integrity of their software, according to FireEye:

Organizations should utilize the most recent version of Pulse Secure's Integrity Assurance utility released on March 31, 2021. If a device fails this Integrity Assurance utility, network administrators should follow the instructions here and contact their Pulse CSR [customer service representative] for additional guidance.

In addition, FireEye recommended resetting passwords and "reviewing the configuration to ensure no service accounts can be used to authenticate to the vulnerability."

FireEye further noted that it has tracked 12 malware families that are being used in conjunction with these Pulse Connect Secure attacks. They are being used to circumvent authentication and add backdoor access. Since the malware being used is somewhat disparate, "it is likely that multiple actors are responsible for the creation and deployment of these various code families," FireEye indicated.

Ivanti, well-known for its IT security and management solutions, acquired Pulse Secure last year. With this latest issue, "the team worked quickly to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system," Ivanti Pulse Secure noted.