Overview
Multiple organisations in various countries were compromised using Ivanti Pulse Connect Secure products. The threat-actor(s) used different old and new vulnerabilities to gain access to publicly facing Pulse Connect Secure devices. The vulnerabilities exploited are the following:
- CVE-2019-11510 - In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability.
- CVE-2020-8260 - A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.
- CVE-2020-8243 - A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload custom template to perform an arbitrary code execution.
- new (and unpublished) CVE-2021-22893 - SA44784 - 2021-04: Out-of-Cycle Advisory: Pulse Connect Secure RCE Vulnerability. Vulnerability in Pulse Connect Secure allows a remote unauthenticated attacker to execute arbitrary code via unspecified vectors.
Recommendation
The vendor states on their website The solution for these vulnerabilities (CVE-2021-22893) is to upgrade the Pulse Connect Secure server software version to the 9.1R.11.4 We will update the advisory once the timelines are available.
. The new updated software is not published yet. But there is a workaround XML file to disable the vulnerable features such as “Windows File Share Browser” and “Pulse Secure Collaboration”. Reboot is required after the application of the workaround.
The following URIs can be used to block at network level (packet filtering, DPI or Firewall):
^/+dana/+meeting
^/+dana/+fb/+smb
^/+dana-cached/+fb/+smb
^/+dana-ws/+namedusers
^/+dana-ws/+metric
In addition, we recommend to run the “Integrity Assurance” software provided by Ivanti to ensure integrity of the software components. To forget to copy the serial number of your device, it will be required for downloading and interacting with Ivanti.
We also recommend to review your logs and especially additional technical evidences which can be used to detect potential compromise before workaround was applied.
Incident Response
If the “Integrity Assurance” software provided by Ivanti finds new files or mismatches on the file hashes, please consider the following steps:
- Isolate from the network the appliance (but don’t turn it off). Report the incident to your security operation center (SOC), security vendors or/and to CIRCL. Keep the results of the Integrity Assurance as an evidence.
- Create a ticket with Iventi or/and the vendor of your Pulse Secure equipments. Ask the detail procedure to acquire the evidences (memory and disk) if required depending of the result of the Integrity Assurance tool. The evidences need to be collected by the vendor in order to get a readable forensic acquisition.
- Keep the evidences in a safe place and contact your security operation center (SOC), security vendors or/and to CIRCL for further analysis.
References
- Alert (AA21-110A Exploitation of Pulse Connect Secure Vulnerabilities
- DHS.gov - Emergency Directive 21-03
- KB29805 - Pulse Connect Secure: Security configuration best practices
- KB44755 - Pulse Connect Secure (PCS) Integrity Assurance
- FireEye Mandiant PulseSecure Exploitation Countermeasures
- MISP event (UUID: b7f8805b-fec8-4491-b866-83a457212437) with indicators and additional information such as Yara rules.
Classification of this document
- TLP:WHITE information may be distributed without restriction, subject to copyright controls.
Revision
- Version 1.0 - TLP:WHITE - First version - 21st April 2021