Pulse Secure VPN Vulnerabilities Exploited

Pulse Secure VPN appliances are under attack. Two known vulnerabilities already have patches, while a novel vulnerability has a workaround until a patch is released.

One of the biggest security tools in an organizations toolbox is a Virtual Private Network (VPN). Businesses that did not have remote workers prior to the pandemic quickly learned the value of a good VPN. Those that did have remote workers learned even more about how a VPN can protect the business and how to make it available to each employee. As with all things in life, though, nothing is perfect. We’ve talked about Pulse Secure VPN in the past, it’s used by many businesses in the healthcare industry and it has known vulnerabilities. Those vulnerabilities, along with a new one, are causing major problems for the VPN provider.

“Mandiant is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices,” researchers from Mandiant, the MDR and incident response arm of security vendor FireEye, said in a newly released report. “These families are related to the circumvention of authentication and backdoor access to these devices, but they are not necessarily related to each other and have been observed in separate investigations. It is likely that multiple actors are responsible for the creation and deployment of these various code families.”

The Mandiant team continued finding malicious activity they traced back to the Pulse Secure VPN, but they couldn’t figure out how the hackers gained administrating credentials. Pulse Secure (PCS) parent company, Ivanti, conducted an investigation and determined the threat actors were using the two known vulnerabilities, plus a zero-day vulnerability now tracked as CVE-2021-22893. The flaw, a critical vulnerability with a CVSS score of 10, allows threat actors to circumvent authentication on the VPN and execute arbitrary code. 

Patches for the first two vulnerabilities were released last year, the new patch will be released in the next PCS release. Version 9.1R.11.4 has not been released yet, so the company provided a workaround. A .xml configuration file was created that can be imported into the appliance. This will disable the Windows File Share Browser and Pulse Secure Collaboration features, which blocks the attack vector. It’s a temporary fix until the patch is released, which will hopefully be sooner than later since the workaround has some limitations.

In addition to the workaround, Pulse Secure released a tool that helps admins to check the integrity of the file system of their PCS appliances. This will detect any file modifications or additional malicious files deployed by the hackers.

When it comes to the new flaw that needs to be patched, Pulse Security is doing all of the right things in response to an incident. They’ve conducted an investigation and know what the problem is, they’ve notified users that there is a problem, they’re working on a patch to release and in the meantime have created a workaround for businesses. This is an instance where the company executed a proper incident response, and despite being the target of malicious activity, they are taking steps to ensure the safety and security of their customers.

Any user of a PCS appliance should do a full review and utilize the tool created by the company to ensure nothing nefarious is happening in their systems. Pulse Security can only do so much, after that, business leaders must do their part as well. Apply the patches, check your systems, make sure your business isn’t compromised. And, as always, consult an expert to help with complicated processes you don’t fully understand. Security is more than just following steps, so it’s best to trust those things to people who eat, breathe and sleep security.

About the Author

Pieter VanIperen, Managing Partner of PWV Consultants, leads a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. He is a 20-year software engineering veteran, who founded or co-founder several companies. He acts as a trusted advisor and mentor to numerous early stage startups, and has held the titles of software and software security executive, consultant and professor. His expert consulting and advisory work spans several industries in finance, media, medical tech, and defense contracting. Has also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY