Skip to main content
Zero Days & Vulns

Pulse Secure VPN  zero day

By 2 mai 2021mai 18th, 2021No Comments

Pulse Secure VPN vulnerability

A critical zero-day vulnerability was discovered in Pulse Connect affecting Secure (PCS) VPN software  PCS 9.0R3 and above and is currently exploited in the wild by at least twelve malware families. 

 

  • CVE-2021-22893 : This vulnerability allows an attacker to perform remote code execution attacks without authentication 

 

Attempts to exploit older vulnerabilities have also been observed by Pulse Connect Secure teams who are urging clients to patch 

  • CVE-2019-11510: Enables arbitrary file reading by unauthenticated actors. 

Affected versions: 9.0R1 to 9.0R3.3, 8.3R1 to 8.3R7, 8.2R1 to 8.2R12.

  • CVE-2020- 8243: Enables unauthenticated actors to perform arbitrary code execution

Affects admin web interface in PCS 9.1Rx or below Pulse Policy Secure (PPS)9.1Rx or below.

  • CVE- 2020- 8260: Allows authenticated actors to perform arbitrary code execution. 

Affects the same versions as CVE-2020-8243 in addition to PS Desktop Client 9.1Rx or below.

RECOMMENDED SOLUTION
  • Customers using an affected version are urged to update their software to version 9.1R.11.4 (awaiting further detail and timeline) and patch previous vulnerabilities above-mentioned. 
POSSIBLE MITIGATION
  • As soon as possible, apply the workaround suggested by Pulse Secure. It consists in downloading the file Workaround-2104.xml to disable the Windows file share browser and Pulse Secure Collaboration following these guidelines. (Account needed). 
  • This mitigation is to be removed when the released fix expected for early may is applied, following the recommended steps

NB : Versions 9.0R1 – 9.0R4.1 or 9.1R1-9.1R2 need to be updated before importing the XML file. License servers are advised against using this workaround. 

  • Pulse Secure made an integrity tool available to help detect compromise which, if confirmed, should lead to changing passwords and isolating the appliance. 
  • LDAP and RADIUS flows should be monitored along with VPN failed access attempts 
  • Clients should also look for webshells deployed on their Pulse Connect Secure
  • CISA recommends to keep running the tool post-remediation.

For more information, refer to Pulse Secure for solutions to mitigate and defend your devices.

Sources : Pulse Secure, Bleeping Computer, FireEye MITRE CVE, CISA, I-Tracing