Pulse Secure has published a security advisory with regards to threat actors exploiting Pulse Connect Secure (PCS) SSL VPN appliance with a newly discovered zero-day flaw that can allow attackers to perform remote arbitrary file execution on the Pulse Connect Secure gateway, together with previously patched vulnerabilities addressed back in 2019 and 2020.
According to coordinated reports from other security experts, two known APT groups have exploited the newly discovered zero-day flaw that allowed their malware to harvest Active Directory credentials and bypass multi-factor authentication on Pulse Secure devices to access victim networks for several months without being detected.
A. Nature of the Vulnerability
The vulnerabilities used in the attacks were tracked as:
CVE-2021-22893, an authentication bypass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway via unspecified vectors.
CVE-2020-8260, a vulnerability in the Pulse Connect Secure admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.
CVE-2020-8243, a vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload a custom template to perform an arbitrary code execution.
CVE-2019-11510, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability
B. List of Vulnerable Systems
Vulnerable Pulse Connect Secure versions are as follows:
- 9.0R3 and higher
C. Actions to be Taken
CERT-PH recommends the following actions be taken:
- Users are advised to immediately install and update to the latest versions of Pulse Connect Secure server as soon as it is available on their official website.
- Until the security patch has been published, users can implement a workaround to mitigate the flaw by downloading and importing the file [Workaround-2104.xml file] to disable URL-Based Attacks (https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784).
- However, the above workaround does not work on 9.0R1 – 9.0R4.1 or 9.1R1-9.1R2. If the PCS is running one of these versions, upgrade before doing the import. Moreover, this is only possible if there is an inline load balancer that does SSL decryption.
- The workaround is not recommended for a license server.
- Kindly refer to the Security Advisory of Pulse Secure for more information with regard to the zero-day vulnerability. (https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784)