Pulse Connect Secure Vulnerability Advisory | April 2021

Threat actors are exploiting vulnerabilities in Pulse Connect Secure products. Here's what you need to know.

Threat actors are exploiting four vulnerabilities in Pulse Connect Secure products, widely used for virtual private network (VPN) remote access. Ivanti Pulse Connect Secure customers should take immediate action to determine if they are impacted. 

Background

On April 20, 2021, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) issued a Cyber Activity Alert (AA21-110A) and an Emergency Directive (21-03) regarding vulnerabilities in certain Ivanti Pulse Connect Secure products, which are widely used for virtual private network (VPN) remote access. To gain initial access, the threat actor is leveraging multiple vulnerabilities, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and the newly disclosed CVE-2021-22893. The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence. The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.

Quick facts: what you need to know now

  • A patch is now available here.
  • The affected products include:  
    • Pulse Connect Secure prior to 9.1R.11.4
    • Pulse Policy Secure (PPS) 9.1Rx or below
    • Pulse Secure Desktop Client (PDC) 9.1Rx or below
  • Pulse Secure has identified four issues which are described in: 
  • Failure to investigate properly and update your organization’s software could result in a threat actor being able to gain access and persistence to return to your systems, bypass MFA, and ultimately launch an attack such as ransomware within your network
  • There is a tool to check for malicious activity on PCS available here.

Next Steps for Ivanti Pulse Connect Secure Customers

If your organization uses Ivanti Pulse Connect Secure products, you should:

  1. Itemize all instances of Pulse Connect Secure virtual and hardware appliances hosted by your organization or on your organization's behalf.
  2. Upgrade the Pulse Connect Secure server software version to the 9.1R.11.4 (patch available here!).
  3. Immediately run Ivanti’s Pulse Secure Connect Integrity Tool on every instance of a Pulse Connect Secure appliance identified in Step 1 to determine whether your VPN has been compromised.
    1. Immediately isolate the appliance from the network while keeping the power on; and
    2. notify Corvus of a potential cyber claim via cyberclaims@corvusinsurance.com.  We will then connect you to counsel and a forensics firm to ensure your organization properly investigates, mitigates, and responds to the threat.If the tool detects a compromise:
    3. Affected appliances should only be returned into production after forensic analysis has been completed and remediation requirements have been met.Review CISA’s Cyber Activity Alert (AA21-110A) and the Pulse Secure blog, for more detailed steps and guidance.