Pulse Secure VPN Breach: What Happened & What Are The Implications?

Contents

Pulse Secure VPN Zero-Day Vulnerability Explained

The Pulse Secure VPN zero-day has been exploited resulting in the breach of several undisclosed defense firms and government organizations in the United States and Europe.

.

What Happened?

A group of vulnerabilities with CVSS scores ranging from 7.2 (High) to 10 (Critical) have been reported:

  • CVE-2021-22893 – Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.
  • CVE-2021-22894 – A buffer overflow vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to execute arbitrary code as the root user via a maliciously crafted meeting room.
  • CVE-2021-22899 – A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to perform remote code execution via Windows Resource Profiles Feature.
  • CVE-2021-22900 – A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator performing a file write via a maliciously crafted archive upload in the administrator web interface.

When deployed, this group of malware allows threat actors to inject commands and upload anything through the Pulse Secure VPN Gateway.

Using Buffer Overflows and Use After Freeze, you can queue up and spill over commands potentially to any devices connected to the gateway.

If left unpatched, threat actors are able to exploit this vulnerability in the Pulse Secure VPN software to gain complete command and control over your environment.

Who Was Impacted?

Anyone using the Pulse Connect Secure (PCS) SSL VPN appliance was affected by this attack. Fortune 500 companies and numerous federal government agencies have been targeted.

Free Security Policy Templates

Get a step ahead of your cybersecurity goals with our comprehensive templates.

IT Security Policy Templates

What Are The Implications?

It is likely that Chinese-backed state actors are behind this attack. Security firm FireEye has linked at least two threat actors deploying these malware attacks:

UNC2630 is suspected to have ties with APT5, also known as Keyhole Panda, which is a Chinese government-backed group.

How Can You Prevent The Pulse Secure VPN Zero-Day Attack?

It is highly recommended that if you’re running PCS 9.0R3 and higher to upgrade the server software to the 9.1R.11.4 release.

As a workaround, the vulnerability can be mitigated on some gateways by disabling Windows File Share Browser and Pulse Secure Collaboration features using instructions available in the security advisory published earlier today.

Pulse Secure also released the Pulse Connect Secure Integrity Tool to help customers determine if their systems are impacted. Security updates to solve this issue will be released in early May.

Article by

Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.
Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.

Share This Article

Our Editorial Process

Our content goes through a rigorous approval process which is reviewed by cybersecurity experts – ensuring the quality and accuracy of information published.

Categories

The Breach Report

Our team of security researchers analyze recent cyber attacks, explain the impact, and provide actionable steps to keep you ahead of the trends.

Related Breaches