System updates urgent amid exploitation by nation-state attackers

An actively exploited zero-day vulnerability in Pulse Connect Secure VPN appliances has been patched together with another pair of newly disclosed critical flaws.

Organizations that use Connect Secure, described by parent company Ivanti as the most widely used SSL VPN, were urged to update their systems immediately in a security advisory dropped yesterday (May 3).

The former zero-day bug, which can lead to remote code execution (RCE) and has a maximum CVSS score of 10, was first disclosed on April 20 along with suggested mitigations. The advice arrived amid reports of widespread, in-the-wild exploitation by suspected state-backed threat actors.

The attackers, believed to include a group – ‘UNC2630’ – linked to APT5 and the Chinese government, have also targeted three Connect Secure vulnerabilities patched in 2019 and 2020: CVE-2019-11510, CVE-2020-8243, and CVE-2020-8260.

Anatomy of exploitation

Ivanti CSO Phil Richards said malicious activity had been “identified on a very limited number of customer systems”.

In a lengthy technical write-up analyzing the deployment of 12 malware families, FireEye-owned incident response firm Mandiant said intrusions traced back to Pulse Secure flaws had been observed against defense, government, and financial organizations in the US, Europe, and elsewhere.

“Multiple, related techniques for bypassing single and multifactor authentication on Pulse Secure VPN devices [were] persisting across upgrades, and maintaining access through webshells,” said Mandiant.

Critical bug trio

Both scoring a near-maximum CVSS of 9.9, the newly disclosed critical bugs include a command injection vulnerability (CVE-2021-22899) that allows authenticated users to perform RCE via Windows File Resource Profiles, and a buffer overflow bug in Pulse Connect Secure Collaboration Suite (CVE-2021-22894) that allows authenticated users to execute arbitrary code through a maliciously crafted meeting room.


Catch up on the latest network security news


The first critical vulnerability (CVE-2021-22893), an authentication bypass vulnerability, was caused by a client-side code sign verification failure, present since April 12 when “the validity of the code signing certificate expired”, whereby the certificate expiry time was checked instead of the code signing timestamp.

Invanti has also disclosed and patched a high severity unrestricted file upload flaw (CVE-2021-22900).

Software update and workaround

All four CVEs have been addressed in Pulse Connect Secure version 9.1R.11.4.

The vulnerabilities affect environments running Pulse Connect Secure 9.0RX or 9.1RX, with CVE-2021-22893 affecting PCS 9.0R3/9.1R1 and higher.

Ivanti has released an exploit-detection tool, advised impacted customers to change all passwords, and offered a “workaround” file for users unable to update to the latest version.

The Pulse Secure team has coordinated its response with the help of the US Cybersecurity and Infrastructure Security Agency (CISA), Mandiant, and incident response firm Stroz Friedberg, among other parties.

Phil Richards of Ivanti, which only acquired Pulse Secure in December 2020, said: “As sophisticated threat actors continue their attacks on U.S. businesses and government agencies, we will continue to work with our customers, the broader security industry, law enforcement and government agencies to mitigate these threats.

“Companywide we are making significant investments to enhance our overall cyber security posture, including a broad[er] implementation of secure application development standards.”

Ivanti declined to comment further in response to additional queries from The Daily Swig.


DON’T FORGET TO READ Emotet clean-up: Security pros draw lessons from botnet menace as kill switch is activated