An authenticated bypass vulnerability was discovered under Pulse Connect Secure (PCS), that allows an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. News in the wild states that the new zero-day vulnerability in Pulse Secure VPN devices with CVE-2021-22893 were exploited to take over multiple US and European government organizations, including defense and financial sectors.
According to a blog published by FireEye, “At least two threat actors, tracked as UNC2630 and UNC2717, have deployed 12 malware strains in these attacks.” Subsequently, it was further added by FireEye that a combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, CVE-2021-22893, are responsible for the initial infection vector. As mentioned in the blog 12 more malware families associated with the exploitation of Pulse Secure VPN appliances are being tracked currently.
The list of malware families is as follows –
- UNC2630 – SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK.
- UNC2717 – HARDPULSE, QUIETPULSE, AND PULSEJUMP
As per the current updates, there is no evidence that these threat actors have introduced any backdoors through a supply chain compromise of Pulse Secure’s network.
PCS version 9.0R3 and higher.
There is no patch available for this vulnerability currently. Pulse Secure recommends upgrading to PCS Server version 9.1R.11.4 when a patch is available. In the meantime, Pulse Secure recommends disabling the following two affected feature sets on existing PCS instances:
- Windows File Share Browser.
- Pulse Secure Collaboration
As outlined in the Pulse Secure advisory, make sure that the Windows File Share Browser feature is disabled after importing the XML workaround.
The workaround for Pulse Secure CVE-2021-22893 blocks the following URI patterns:
Pulse Secure also released the Pulse Connect Secure Integrity Tool to help customers determine if their systems are impacted. Security updates to solve this issue will be released in early May.
Qualys customers can scan their network with QID 38838 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.
References and Sources