Users of Secure Pulse VPN are being urged to patch a newly disclosed authentication bypass zero-day that enables an unauthenticated user to perform remote arbitrary file execution on the Pulse Secure Connect gateway – and is already being exploited. CVE-2021-22893 carries a critical CVSS rating of 10 but can be mitigated for the time being by downloading a workaround from Pulse Secure. A full patch will not be available until at least the beginning of May.
Phil Richard, the chief security officer at Ivanti, which acquired Pulse Secure in 2020, said: “The Pulse Connect Secure [PCS] team is in contact with a limited number of customers who have experienced evidence of exploit behavior on their PCS appliances. The PCS team has provided remediation guidance to these customers directly.
“The new issue, discovered this month, impacted a minimal number of customers. The team worked quickly to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system.”
Richard also described ongoing attempts to exploit appliances that remain vulnerable to three other issues – CVE-2019-11510, CVE-2020-8243, and CVE-2020-8260 all through lack of end-user attention of which have been patched disclosed and patched within the past two years. Users are encouraged to review the firm’s previous advisories and follow the guidance, including changing all passwords within the environment if impacted.
“Customers are also encouraged to apply and leverage the efficient and easy-to-use Pulse Secure Integrity Checker Tool to identify any unusual activity on their system. For more information, visit the Secure Pulse Blog,” said Richard.
FireEye’s Mandiant said it had already responded to incidents at customers whose VPN appliances have been compromised and worked closely with Pulse Secure on the disclosure.
Charles Carmakal, SVP, and CTO at Mandiant, said: “Through the course of our investigations, we learned that a zero-day and other known vulnerabilities in the VPN solution were exploited to facilitate intrusions across dozens of organizations, including government agencies, financial entities, and defense companies in the United States and abroad. We suspect these intrusions align with data and intelligence collection objectives by China.