Threat Response – Pulse Secure VPN Active Exploit

20-04-2021

A SAFE DIGITAL JOURNEY

On Tuesday 20 April, FireEye published information about an actively exploited vulnerability in Pulse Secure VPN [1][2]. In this message, we want to warn you about the threat and inform you about the possible mitigation steps.

Description

FireEye released information about a vulnerability in Pulse Secure VPN, registered with CVE-2021-22893. The vulnerability has been scored at the maximum value within the CVSS 3.1 framework, namely 10.0. The vulnerability is actively exploited.

The affected software versions are Pulse Connect Secure (PCS) versions 9.0R3 and higher.

Impact

By exploiting this vulnerability a threat actor gains remote code execution capabilities on the appliance running Pulse Connect Secure. There are known cases in which attackers gained persistence by installing web shells during their attack. Thus, we estimate the impact as high.

Risk

By their nature, most Pulse Connect Secure appliances are publicly accessible. Because no credentials are needed to execute the attack, we estimate the risk as high.

What should you do?

Pulse Secure provides a work around on their website [2] for some affected systems which prevents abuse of the vulnerability since an actual bug fix is not ready yet. Northwave recommends to apply this workaround. Two features of the appliance will be disabled: Windows File Share Browser and Pulse Secure Collaboration.

Appliances running PCS versions 9.0R1 – 9.0R4.1 or 9.1R1-9.1R2 should be updated before the work around can be applied. The work around is not recommended for license servers. Improving the protection for license servers can be achieved on firewall level, by limiting the possibilities to connect to them.

After applying the work around you should check for earlier compromise, since the vulnerabilities are actively abused. Pulse Secure provides the PCS Integrity Assurance tool [3] to validate you systems.

What will Northwave do?

Northwave is currently working on implementing the network based detection rules in our monitoring solution. We expect to complete that tomorrow morning. In order to detect attacks a Northwave NIDS appliance in your network is required. Additionally, the Northwave NIDS appliance should receive a copy of the traffic that flows to and from the Pulse Secure VPN appliance.

Northwave is also tracking developments on Indicators of Compromise (IoC’s). Whenever we find new IoC’s, we will add them to the Northwave Detection Platform.

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. If you need additional information you can call us by phone or send us an email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1]: https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html

[2]: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/

[3]: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.