Sikov - stock.adobe.com

CISA: Patch Issued for Critical Pulse Secure VPN Flaw Under Active Attack

Ivanti released a patch for a critical zero-day authentication bypass flaw found in its Pulse Secure VPN, which CISA previously warned was under active attack.

Ivanti released a software update to patch a critical zero-day authentication bypass vulnerability in its Pulse Connect Secure (PCS) virtual private network (VPN) software, which the Department of Homeland Security Cybersecurity and Infrastructure Agency recently warned was under active attack.

The software update resolves the recently disclosed CVE-2021-22893, which is among a group of four vulnerabilities currently being targeted in an ongoing malicious campaign. The severely critical flaw was disclosed with mitigation measures, as Ivanti was continuing to work on a patch.

The three other flaws, CVE-2019-11510, CVE-2020-8260, and CVE-2020-8243 were patched in 2019 and 2020 but some entities failed to apply the update. 

Hackers have been actively targeting these flaws since June 2020 and have already compromised a host of organizations, including government agencies, private sector networks, and critical infrastructure agencies.

During the observed attacks, the threat actors modified several legitimate Pulse Secure files on the affected devices with ample webshell functionality. The attacker also employed multiple commands, whose actions were logged in the Unauthenticated Requests Log.

Upon successful exploit, an attacker would be able to install webshells onto the devices, propagate across connected devices, and maintain persistence on the network. The installed webshells allow for a range of malicious activities, including  authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.

Ivanti’s software update will close these security vulnerabilities and is the only solution to fully remediate the issue.

“The Pulse team took swift action to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system, and we are pleased to be able to deliver a security patch in such short order to address the vulnerability,” Pulse Secure explained in a blog post, outlining the effort.

“As sophisticated threat actors continue their attacks on US businesses and government agencies, we will continue to work with our customers, the broader security industry, law enforcement and government agencies to mitigate these threats,” they added. 

Entities that can’t apply the update should employ the previous mitigation measures provided by the vendor to prevent an attack, including the use of the Integrity Tool provided by Ivanti. The tool enhances the ability to verify the PCS image installed on virtual and hardware devices and checks the integrity of the complete file system, and additional or modified files.

Administrators should first take a snapshot of the appliance then run the integrity tool on virtualized platforms, which will help with the detection of malicious activities. Those with physical appliances have been encouraged to reach out to Ivanti for support. The tool will need to be run on a daily basis until the patch is applied.

CISA also updated its alert page for the Pulse Secure flaws to include detections of TLS Fingerprinting and Impossible Travel, to identify remnants of attacks through the vulnerabilities.

“It’s possible a network defender may be able to reveal illegitimate connections from users that are masquerading as legitimate users from different geolocations,” officials explained. “CISA has noted IPs associated with malicious webshell interaction from a threat actor—associated with a single username—in both the authenticated and the unauthenticated logs at the same time.” 

“The geo-location for the two IP addresses was sufficiently far that impossible travel calculations could detect the threat actor IP address,” they added.”TLS fingerprinting may also be useful in identifying malicious activity. CISA has noted re-use of various JA3 hashes including JA3 hashes that align with Chrome, Firefox, and others.”

Pulse Secure is continuing to work on bolstering its overall cybersecurity posture, which includes implementing secure application standards.

Next Steps

Dig Deeper on Cybersecurity strategies