Alert - Active Exploitation of Pulse Connect Secure Vulnerabilities - update 1

Number: AL21-008 UPDATE 1
Date: 21 April 2021
Updated: 3 May 2021

AUDIENCE

This Alert is intended for IT professionals and managers of notified organizations. Recipients of this information may redistribute it within their respective organizations.

PURPOSE

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

OVERVIEW

On 20 April 2021, Pulse Secure released a Security Advisory highlighting a critical remote code execution vulnerability in its Pulse Connect Secure product. Open-source reporting has indicated that active exploitation of this vulnerability as well as prior Pulse Secure vulnerabilities have been observed.

DETAILS

On 20 April 2021, Pulse Secure released a Security Advisory highlighting a critical remote code execution vulnerability in its Pulse Connect Secure (PCS) VPN appliance, affecting versions 9.0R3 and above. The vulnerability allows a remote unauthenticated actor to execute arbitrary code on an affected device. According to analysis conducted by Pulse Secure, this vulnerability, tracked as CVE-2021-22893, is actively being leveraged to gain a foothold within private networks. Currently, only a workaround is available to mitigate the impact of CVE-2021-22893. [1] A final patch to address this vulnerability is expected to be released in early May. In addition to the workaround, Pulse Secure recently released a “Pulse Connect Secure Integrity Tool” that verifies the integrity of the PCS filesystem in order to detect additional and/or modified files. [2]

UPDATE: On 3 May 2021, Pulse Secure released a patch to address CVE-2021-22893 [1]. Furthermore, the Security Advisory was updated to highlight additional vulnerabilities found in PCS devices, namely, CVE-2021-22894, CVE-2021-22899 and CVE-2021-22900, the first two being critical vulnerabilities. These vulnerabilities are also addressed by the patch.

Pulse Secure has been working closely with Mandiant to address recent breaches involving Pulse Secure VPN devices. Details regarding these breaches can be found in Mandiant’s blog. [3] The blog highlights that, in addition to CVE-2021-22893, actors have been leveraging other vulnerabilities from 2019 and 2020 to exploit unpatched PCS devices. Mandiant has provided a technical analysis as well as indicators of compromise to aid in the detection of tools leveraged by these actors. [3][4]

SUGGESTED ACTION

The Cyber Centre encourages those organizations leveraging PCS devices to:

  • UPDATE: Apply necessary patches,
  • Review the indicators of compromise, published by Mandiant to identify signs of compromise, [4]
  • Check the integrity of your PCS file system with the PCS Integrity Tool.

Should activity matching the content of this Alert be discovered, recipients are encouraged to contact the Cyber Centre by email (contact@cyber.gc.ca) or by telephone (1-833-CYBER-88 or 1-833-292-3788).

REFERENCES

[1] SA44784 - 2021-04: Out-of-Cycle Advisory: Pulse Connect Secure RCE Vulnerability (CVE-2021-22893):
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/?kA23Z000000boUWSAY

[2] KB44755 - Pulse Connect Secure (PCS) Integrity Assurance:
https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755

[3] Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day:
https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html

[4] Github Pulse Secure Exploitation Countermeasures:
https://github.com/fireeye/pulsesecure_exploitation_countermeasures

NOTE TO READERS
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.

Date modified: