Pulse Secure VPN Breach: What Happened & What Are The Implications?

A group of vulnerabilities with CVSS scores ranging from 7.2 (High) to 10 (Critical) have been reported:

• CVE-2021-22893 – Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.
• CVE-2021-22894 – A buffer overflow vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to execute arbitrary code as the root user via a maliciously crafted meeting room.
• CVE-2021-22899 – A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to perform remote code execution via Windows Resource Profiles Feature.
• CVE-2021-22900 – A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator performing a file write via a maliciously crafted archive upload in the administrator web interface.

When deployed, this group of malware allows threat actors to inject commands and upload anything through the Pulse Secure VPN Gateway.

Using Buffer Overflows and Use After Freeze, you can queue up and spill over commands potentially to any devices connected to the gateway.

If left unpatched, threat actors are able to exploit this vulnerability in the Pulse Secure VPN software to gain complete command and control over your environment.