Pulse Secure fixes zero-day in Pulse Connect Secure (PCS) SSL VPN actively exploited

Pulse Secure has fixed a zero-day flaw in the Pulse Connect Secure (PCS) SSL VPN appliance that threat actors are actively exploiting in the wild.

Pulse Secure has addressed a zero-day vulnerability (CVE-2021-22893) in the Pulse Connect Secure (PCS) SSL VPN appliance that is being actively exploited by threat actors in attacks against defense firms and govt agencies.

The vulnerability is a buffer overflow issue in Pulse Connect Secure Collaboration Suite prior b9.1R11.4 that allows remote authenticated attackers to execute arbitrary code as the root user via maliciously crafted meeting room.

According to coordinated reports recently published by FireEye and Pulse Secure, two hacking groups have exploited the zero-day vulnerability in Pulse Secure VPN equipment to break into the networks of US defense contractors and government organizations worldwide.

The attacks were first discovered by the cybersecurity firm FireEye early this year, when the Mandiant incident response team investigated multiple security breaches at defense, government, and financial organizations around the world. In all the intrusions, the attackers targeted Pulse Secure VPN appliances in the breached networks.

“In many cases, we were not able to determine how actors obtained administrator-level access to the appliances. However, based on analysis by Ivanti, we suspect some intrusions were due to the exploitation of previously disclosed Pulse Secure vulnerabilities from 2019 and 2020 while other intrusions were due to the exploitation of CVE-2021-22893.” reads the report published by FireEye.

The attacks began in August 2020, when a group tracked by FireEye as UNC2630, began targeting US defense contractors and European organizations. Threat actors leveraged Pulse Secure VPN bugsdisclosed in 2019 and 2020, along with a new zero-day tracked as CVE-2021-22893.

“A vulnerability was discovered under Pulse Connect Secure (PCS).  This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment.” reads the advisory published by Pulse Secure.

The vendor also released a tool that can scan Pulse Secure VPN servers for signs of compromise for CVE-2021-22893 or other previous vulnerabilities.

Starting from October 2020, a second group tracked by FireEye as UNC2717 started exploiting the same zero-day flaw to install the following malware on the networks of government agencies in Europe and the US:

• HARDPULSE;
• QUIETPULSE;
• PULSEJUMP.

In March 2021, FireEye investigated a separate intrusion attributed to the UNC2717 threat actors that used RADIALPULSE, PULSEJUMP, and HARDPULSE to penetrate a European organization. These malware strains have many similarities with other code families used by UNC2630.

US Cybersecurity and Infrastructure Security Agency (CISA) also issued an emergency directive urging federal agencies to address the vulnerability within two days, the agency suggests to disable the Windows File Share Browser and Pulse Secure Collaboration features.

Today Pulse Secure has released a security update to address the CVE-2021-22893 vulnerability and recommends all users immediately install the patch.

“Today, the Pulse Secure team released a security update to address the issue outlined in Security Advisory SA44784 (CVE-2021-22893) impacting Pulse Connect Secure appliance. We recommend that customers move quickly to apply the update to ensure they are protected.” read the advisory published by the security vendor.

“The Pulse Secure team has worked closely with the Cybersecurity and Infrastructure Security Agency (CISA) as well as leading forensic experts and industry groups, including Mandiant/FireEye and Stroz Friedberg, among others, to investigate and respond quickly to malicious activity that was identified on a very limited number of customer systems.”

Customers running Pulse Connect Secure 9.0RX & 9.1RX should immediately address the issue by updating to Pulse Connect Secure 9.1R11.4.

Before installing the update, it is advised that organizations run the Pulse Secure Integrity Tool first to determine if their devices were breached and to respond accordingly.

Pulse Secure released an advisory last month that contains instructions on how to resolve this issue.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Pulse Connect Secure)

[adrotate banner=”5″]

[adrotate banner=”13″]