Permanent Fix Replaces Earlier Workaround
Ivanti, parent company of Pulse Secure, published a permanent fix Monday for a zero-day vulnerability in Pulse Connect Secure VPN products that has been exploited to target U.S. government agencies, critical infrastructure providers and other companies over the last several weeks.
The zero-day flaw, which is tracked as CVE-2021-22893, is one of at least four vulnerabilities in Pulse Connect Secure VPN products that have been exploited by various groups, including one with connections to China, since earlier this year. In April, security firm FireEye published a report about the attacks as well as details about the zero-day bug that was being exploited (see: Nation-State Actor Linked to Pulse Secure Attacks).
Although Ivanti previously published a mitigation technique to help bypass the zero-day vulnerability, the patch issued Monday is a more permanent fix for the bug, according to the company.
Ivanti and the Cybersecurity and Infrastructure Security Agency are urging organizations that use Pulse Connect Secure VPN products to immediately apply the patch. Patches for the other exploited vulnerabilities have been previously published by the company.
“As sophisticated threat actors continue their attacks on U.S. businesses and government agencies, we will continue to work with our customers, the broader security industry, law enforcement and government agencies to mitigate these threats,” says Phil Richards, chief security officer of Ivanti. “Companywide, we are making significant investments to enhance our overall cybersecurity posture, including a more broad implementation of secure application development standards.”
On Friday, a senior CISA official said that the agency was investigating whether five executive branch agencies had possibly been breached by attackers exploiting one or more of the vulnerabilities in Pulse Connect Secure VPN appliances (see: CISA: 5 Agencies Using Pulse Secure VPNs Possibly Breached).
Last month, CISA ordered 26 federal agencies that use Pulse Connect Secure VPN products to run the Pulse Connect Secure Integrity Tool to check the integrity of file systems within their networks and report back the results to the agency, according to Matt Hartman, deputy executive assistant director at CISA.
Those results showed five networks had traces of suspicious or malicious activity, and further analysis is now needed, Hartman said.
FireEye’s Mandiant team previously identified two threat groups, which it labeled UNC2630 and UNC2717, that it believes are behind the attacks exploiting the Pulse Connect Secure flaws. UNC2630 is suspected to have ties to another threat group that works on behalf of the Chinese government, although a definitive connection could not be made, according to the report.
In its Monday alert, Ivanti urges customers who are using Pulse Connect Secure 9.0RX and 9.1RX to immediately upgrade to Pulse Connect Secure 9.1R11.4, which fixes the vulnerability.
Pulse Secure customers should also run the Integrity Tool to check for any additional malicious activity within their networks, according to the update.
The zero-day flaw – CVE-2021-22893 – if exploited, could allow an unauthenticated, remote attacker to execute arbitrary code through unspecified vectors, Ivanti says.
Besides the critical zero-day flaw, attackers have also targeted older flaws in these VPN appliances, including CVE-2019-11510, CVE-2020-8260 and CVE-2020-8243. Patches for these bugs were issued in 2019 and 2020, Ivanti says.