Critical Pulse Connect Secure SSL VPN Vulnerability Exploited

Critical Pulse Connect Secure SSL VPN Vulnerability Exploited

Introduction

In yet another example of VPN appliance vulnerabilities being actively exploited by threat actors, 20 April 2021 saw the publication [1] of a critical Pulse Connect Secure (PCS) SSL VPN appliance vulnerability, CVE-2021-22893, allowing an authentication bypass that leads to an unauthenticated threat actor gaining the ability to remotely execute arbitrary code on a PCS gateway.

This critical vulnerability, assigned the maximum CVSS score of 10, has reportedly been observed as an initial infection vector in recent attacks against European and US Defense networks, as well as financial organizations, orchestrated by suspected nation-state sponsored threat actors sharing similarities with historic Chinese-nexus activity.

Impact

Likely exploited alongside previous high severity vulnerabilities, CVE-2021-22893 is reported as affecting Pulse Connect Secure versions 9.0R3 and higher with only, as of 20 April 2021, only a workaround available at this time.

Designated as to be fixed in version 9.1R11.4, the original advisory has an 'as yet to be decided' timeline for security updates that are likely to apply to the following product versions:

  • Pulse Connect Secure 9.1Rx
  • Pulse Connect Secure 9.0Rx

For reference, given their continued exploitation, previous high severity vulnerabilities potentially used alongside CVE-2021-22893 include:

  • CVE-2019-11510 - Critical severity (CVSS 10) unauthenticated arbitrary file read vulnerability affecting Pulse Connect Secure versions 8.2R1 to 8.2R12, 8.3R1 to 8.3R7 and 9.0R1 to 9.0R3.3 [2].
  • CVE-2020-8243 - High severity (CVSS 7.2) web admin interface vulnerability allowing an authenticated threat actor to upload a custom template leading to arbitrary code execution affecting Pulse Connect Secure/Policy Secure versions 9.1Rx or below [3].
  • CVE-2020-8260 - High severity (CVSS 7.2) web admin interface vulnerability allowing an authenticated threat actor to perform an uncontrolled gzip extraction leading to arbitrary code execution affecting Pulse Connect Secure/Policy Secure versions 9.1Rx or below [4].

Given the reported observation of suspected nation-state threat actors exploiting these vulnerabilities in the wild, high-sophistication threat actors may also seek to take advantage of similar tactics to gain access to victim networks.

Specifically, financially-motivated 'big game hunter' ransomware groups have previously exploited similar vulnerabilities in order to gain access to networks within organizations across multiple industries and regions.

As a warning of the risk these vulnerabilities pose, it was widely reported that the Travelex/REvil ransomware incident [6] in January 2020 commenced with the exploitation of a Pulse Secure VPN vulnerability leading to a near catastrophic outcome for the organization. Having gained initial access, the threat group were able to move laterally within the organization before enacting their 'steal, encrypt and leak' tactics in an attempt to extort millions.

Recommendations

  • Organizations using vulnerable versions should apply the latest security updates, where available, from Pulse Secure as soon as they are made available; CVE-2021-22893 is set to be resolved in version 9.1R11.4 and therefore the official advisory [1] should be monitored to determine the release schedule.
  • Consideration should also be given to applying the Pulse Secure workaround for CVE-2021-22893, available via their customer portal [5], that disables both the 'Pulse Secure Collaboration' and 'Windows File Share Browser' features.
  • Organizations using Pulse Connect Secure products, regardless of version, should consider the use of their 'Integrity Assurance' tool, also available via their customer portal [5], to verify the integrity of PCS deployments and flag any additional or modified files.

References

[1] https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/

[2] https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/

[3] https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588

[4] https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601

[5] https://my.pulsesecure.net/

[6] https://l.cyberint.com/profiling-revil-ransomware-team-behind-the-travelex-breach_report