Pulse Secure VPN Breach: What Happened & What Are The Implications?
Pulse Secure VPN Zero-Day Vulnerability Explained
The Pulse Secure VPN zero-day has been exploited resulting in the breach of several undisclosed defense firms and government organizations in the United States and Europe. In this clip from Breach Report #13, we take a look at the Pulse Secure VPN breach and discuss:
- What happened?
- Who was impacted?
- What are the implications?
- How can organizations can prevent these attacks?
[contact-form-7 id=”7208″ title=”Breach Report”]
What Happened?
A group of vulnerabilities with CVSS scores ranging from 7.2 (High) to 10 (Critical) have been reported:
- CVE-2021-22893 – Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.
- CVE-2021-22894 – A buffer overflow vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to execute arbitrary code as the root user via maliciously crafted meeting room.
- CVE-2021-22899 – A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to perform remote code execution via Windows Resource Profiles Feature.
- CVE-2021-22900 – A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.
When deployed, this group of malware allows threat actors to inject commands and upload anything through the Pulse Secure VPN Gateway.
Using Buffer Overflows and Use After Freeze, you can queue up and spill over commands potentially to any devices connected to the gateway.
If left unpatched, threat actors are able to exploit this vulnerability in the Pulse Secure VPN software to gain complete command and control over your environment.
Who Was Impacted?
Anyone using the Pulse Connect Secure (PCS) SSL VPN appliance was affected by this attack. Fortune 500 companies and numerous federal government agencies have been targeted.
What Are The Implications?
It is likely that Chinese-backed state actors are behind this attack. Security firm FireEye has linked at least two threat actors deploying these malware attacks:
UNC2630 is suspected to have ties with APT5, also known as Keyhole Panda, which is a Chinese government-backed group.
How Can You Prevent The Pulse Secure VPN Zero-Day Attack?
It is highly recommended that that if you’re running PCS 9.0R3 and higher to upgrade the server software to the 9.1R.11.4 release.
As a workaround, the vulnerability can be mitigated on some gateways by disabling Windows File Share Browser and Pulse Secure Collaboration features using instructions available in the security advisory published earlier today.
Pulse Secure also released the Pulse Connect Secure Integrity Tool to help customers determine if their systems are impacted. Security updates to solve this issue will be released in early May.
Related Articles
