Alert - Active Exploitation of Pulse Connect Secure Vulnerabilities - update 1

Number: AL21-008 UPDATE 1
Date: 21 April 2021
Updated: 3 May 2021

AUDIENCE

This Alert is intended for IT professionals and managers of notified organizations. Recipients of this information may redistribute it within their respective organizations.

PURPOSE

An Alert is used to raise awareness of a recently identified cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. that may impact cyber information assets, and to provide additional detection DetectionThe monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources. and mitigation advice to recipients. The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

OVERVIEW

On 20 April 2021, Pulse Secure released a Security Advisory highlighting a critical remote code execution vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. in its Pulse Connect Secure product. Open-source reporting has indicated that active exploitation of this vulnerability as well as prior Pulse Secure vulnerabilities have been observed.

DETAILS

On 20 April 2021, Pulse Secure released a Security Advisory highlighting a critical remote code execution vulnerability in its Pulse Connect Secure (PCS) VPN VPNSee virtual private network. appliance, affecting versions 9.0R3 and above. The vulnerability allows a remote unauthenticated actor to execute arbitrary code on an affected device. According to analysis conducted by Pulse Secure, this vulnerability, tracked as CVE-2021-22893, is actively being leveraged to gain a foothold within private networks. Currently, only a workaround is available to mitigate the impact of CVE-2021-22893. [1] A final patch to address this vulnerability is expected to be released in early May. In addition to the workaround, Pulse Secure recently released a “Pulse Connect Secure Integrity IntegrityThe ability to protect information from being modified or deleted unintentionally or when it’s not supposed to be. Integrity helps determine that information is what it claims to be. Integrity also applies to business processes, software application logic, hardware, and personnel. Tool” that verifies the integrity of the PCS filesystem in order to detect additional and/or modified files. [2]

UPDATE: On 3 May 2021, Pulse Secure released a patch to address CVE-2021-22893 [1]. Furthermore, the Security Advisory was updated to highlight additional vulnerabilities found in PCS devices, namely, CVE-2021-22894, CVE-2021-22899 and CVE-2021-22900, the first two being critical vulnerabilities. These vulnerabilities are also addressed by the patch.

Pulse Secure has been working closely with Mandiant to address recent breaches involving Pulse Secure VPN devices. Details regarding these breaches can be found in Mandiant’s blog. [3] The blog highlights that, in addition to CVE-2021-22893, actors have been leveraging other vulnerabilities from 2019 and 2020 to exploit unpatched PCS devices. Mandiant has provided a technical analysis as well as indicators of compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. to aid in the detection of tools leveraged by these actors. [3][4]

SUGGESTED ACTION

The Cyber Centre encourages those organizations leveraging PCS devices to:

• UPDATE: Apply necessary patches,
• Review the indicators of compromise, published by Mandiant to identify signs of compromise, [4]
• Check the integrity of your PCS file system with the PCS Integrity Tool.

Should activity matching the content of this Alert be discovered, recipients are encouraged to contact the Cyber Centre by email (contact@cyber.gc.ca) or by telephone (1-833-CYBER-88 or 1-833-292-3788).

REFERENCES

[1] SA44784 - 2021-04: Out-of-Cycle Advisory: Pulse Connect Secure RCE Vulnerability (CVE-2021-22893):
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/?kA23Z000000boUWSAY

[2] KB44755 - Pulse Connect Secure (PCS) Integrity Assurance:
https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755

[3] Check Your Pulse: Suspected APT Actors Leverage Authentication AuthenticationA process or measure used to verify a users identity. Bypass Techniques and Pulse Secure Zero-Day:
https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html

[4] Github Pulse Secure Exploitation Countermeasures:
https://github.com/fireeye/pulsesecure_exploitation_countermeasures

NOTE TO READERS
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure Critical infrastructureProcesses, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories, and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and significant harm to public confidence. , Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.