On Tuesday, April 20, 2021, security firm FireEye published detailed analysis of multiple threat campaigns targeting Ivanti’s Pulse Connect Secure VPN. According to FireEye’s analysis, threat actors have been leveraging multiple techniques to bypass single- and multi-factor authentication on Pulse Secure VPN devices, establish persistence across updates, and maintain access via webshells. The focus of the analysis is on threats to U.S. defense networks, but Pulse Secure devices are also a perennially popular target for exploitation across a broad range of organizations’ networks.

While some of the intrusions FireEye is tracking were attributed to exploitation of older Pulse Secure vulnerabilities, threat actors have evidently also been using CVE-2021-22893, a previously unknown zero-day vulnerability, in combination with older vulns to harvest credentials, move laterally within target environments, and persist using legitimate but modified Pulse Secure binaries and scripts on VPN appliances. For full findings of FireEye’s investigation, including an extensive list of IOCs and ATT&CK techniques, we highly recommend reading their blog post here.

Actively exploited zero-day: CVE-2021-22893

Pulse Secure released an out-of-band security advisory Tuesday on CVE-2021-22893, a critical authentication bypass that allows remote, unauthenticated attackers to execute arbitrary code. The vulnerability affects versions 9.0R3 and higher of Pulse Connect Secure devices and carries a CVSSv3 base score of 10. There is no patch available—FireEye’s post indicated a “final” patch will be released in May—but Pulse Secure released a workaround (detailed below), and Ivanti’s PSIRT released a Pulse Connect Secure Integrity Tool that allows administrators to verify the PCS Image installed on Virtual or Hardware Appliances, check the integrity of the file system, and identify additional or modified files.

According to Pulse Secure’s advisory, older versions of Pulse Connect Secure are not affected by CVE-2021-22893, but it bears mentioning that those running older Pulse Secure devices may be affected by several other high-profile vulnerabilities that have seen broad, sustained exploitation over the past two years (e.g., CVE-2019-11510, CVE-2019-11539).

Guidance

Pulse Secure has issued a workaround in the form of an XML file that mitigates CVE-2021-22893 until a more permanent patch is available. Pulse Connect Secure customers should import the Workaround-2104.xml file, which blocks access to the Windows File Share Browser and Pulse Secure Collaboration features on the PCS appliance. According to the company’s out-of-band advisory, they are using an existing blocklist feature to disable the URL-based attack. Rapid7 researchers were able to decrypt the blocklist’s URI patterns, which are as follows:

  • ^/+dana/+meeting
  • ^/+dana/+fb/+smb
  • ^/+dana-cached/+fb/+smb
  • ^/+dana-ws/+namedusers
  • ^/+dana-ws/+metric

In addition to applying the workaround, customers may want to block these patterns at their network perimeter (requires an inline load balancer capable of performing SSL decryption). Pulse Secure has since updated their advisory with the unencrypted patterns. Customers with shell access to their appliance may run the following command to confirm that the blocklist is in place:

for i in {a..e}; do /home/bin/dsget "/vc0/config/blacklists/patch_2104-$i/content"; done

Pulse Connect Secure customers running versions 9.0R3 and up should apply the workaround immediately, without waiting for a regular patch or maintenance cycle to occur. We would also advise running Ivanti’s Integrity Tool to examine your Pulse Connect Secure images for files that may have been maliciously altered or added. Given the high likelihood of attacker-compromised credentials, organizations should also consider resetting passwords in their environment. Ivanti recommends reviewing the configuration to ensure no service accounts can be used to authenticate. For more information on Pulse Secure device configuration best practices, see the company’s knowledge base article here.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2021-22893 with authenticated vulnerability checks released on Tuesday, April 20, 2021. Please note that to ensure the highest degree of accuracy, this check requires website form credentials to authenticate to the /admin page of the Pulse Connect Secure server. Customers who aren’t sure whether (or where) Pulse Connect Secure is present in their environment can use Query Builder to search for network services or operating systems containing ‘Pulse’ in their name. The Scan Engine has some unauthenticated, versionless fingerprinting capabilities for Pulse Connect Secure that do not provide the accuracy needed for a vulnerability check, but may still give a sense of potential exposure.

Not an InsightVM or Nexpose customer? Start a free trial to scan for this vulnerability.

Get Started