author photo
By Bruce Sussman
Thu | Apr 22, 2021 | 6:04 AM PDT

Have you patched the known vulnerabilities discovered in Pulse Secure's Connect Secure products?

Patching for these issues is so urgent that the Cybersecurity and Infrastructure Security Agency (CISA) issued a deadline for federal agencies to complete patches by the end of the week.

What is Pulse Secure saying about product vulnerabilities?

Here is what we know at this point about the VPN vulnerabilities, the testing tool you can use to see if your organization is impacted, and the urgent call for patching in this case.

Phil Richards, Chief Security Officer at Pulse Secure, explains the issues in a new blog post.

"We have discovered four issues, the bulk of which involve three vulnerabilities that were patched in 2019 and 2020: Security Advisory SA44101 (CVE-2019-11510), Security Advisory SA44588 (CVE-2020-8243) and Security Advisory SA44601 (CVE-2020-8260). We strongly recommend that customers review the advisories and follow the recommended guidance, including changing all passwords in the environment if impacted.

There is a new issue, discovered this month, that impacted a very limited number of customers. The team worked quickly to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system. We will be releasing a software update in early May. Visit Security Advisory SA44784 (CVE-2021-22893) for more information."

Are Pulse Secure vulnerabilities being observed in the wild? 

And unfortunately, these vulnerabilities are not just theoretical; they are being taken advantage of by an adversary, according to the federal government.

"CISA has observed active exploitation of vulnerabilities in Pulse Connect Secure products, a widely used SSL remote access solution. Successful exploitation of these vulnerabilities could allow an attacker to place webshells on the appliance to gain persistent system access into the appliance operating the vulnerable software.

CISA has determined that this exploitation of Pulse Connect Secure products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of these vulnerabilities by threat actors in external network environments, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise."

The agency set a federal patching deadline of April 23 at 5 p.m. ET. This is the same type of quick turnaround time that the government required in the case of the Microsoft Exchange server vulnerabilities.

Which threat actors are behind the Pulse Connect Secure exploits? 

Who is taking advantage of the Pulse Connect Secure vulnerabilities? According to FireEye, several threat actors are likely doing so.

"Mandiant is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices. These families are related to the circumvention of authentication and backdoor access to these devices, but they are not necessarily related to each other and have been observed in separate investigations. It is likely that multiple actors are responsible for the creation and deployment of these various code families."

FireEye says the malware families allow attackers to do things like execute MFA bypass attacks, elevate privileges, and install backdoors.

How can you test for Pulse Secure vulnerabilities? 

Pulse Secure is now sharing what it calls the Pulse Connect Secure Integrity Tool for all instances of PCS virtual and hardware appliances. This will allow organizations to determine whether any PCS files have been maliciously modified or added.  

These modifications could allow persistent access to your environment if you fail to patch. 

One additional note here: FireEye says it does not believe, at this point, that this is a supply chain attack. And Pulse Secure's CSO says the company is doing all it can to prevent one:

"A secure computing environment is more important each and every day to how we work and live, as threats evolve and emerge. We are making significant investments to enhance our overall cyber security infrastructure, including evolving standards of code development and conducting a full code integrity review."