Two weeks after researchers warned that attackers in China were exploiting a newly discovered vulnerability in the Pulse Connect Secure VPN appliance, the company has released a patch for that flaw, along with several others that can be used for remote code execution.
The vulnerability that surfaced in April (CVE-2021-22893) is in fact a collection of several use-after-free bugs in Pulse Connect Secure. Attackers have been exploiting the flaws for some time, perhaps as long as several years. Specialists from Mandiant discovered the attack activity a few months ago during the course of an incident response investigation and said a newly identified group the company calls UNC2630 was exploiting the flaws. Other groups may also have been targeting the vulnerabilities.
“Early this year, Mandiant investigated multiple intrusions at defense, government, and financial organizations around the world. In each intrusion, the earliest evidence of attacker activity traced back to DHCP IP address ranges belonging to Pulse Secure VPN appliances in the affected environment,” FireEye researchers wrote in an analysis of the intrusions.
“We observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance.”
The Pulse Connect Secure VPN is used for remote access in a range of organizations, includoing enterprises and government agencies. Targeting VPN flaws can be a profitable exercise for attackers, as it can provide a reliable access method for further movement inside a network. In addition to the use-after-free vulnerabilities, Pulse Secure also released fixes for three other critical bugs, including a buffer overflow in the Collaboration Suite, and a command-injection bug and unrestricted upload flaw in Pulse Connect Secure.
“Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. Many of these vulnerabilities have a critical CVSS score and pose a significant risk to your deployment,” the PulseSecure security advisory says.
The vulnerabilities affect versions of Pulse Connect Secure versions prior to 9.1R11.4
“As sophisticated threat actors continue their attacks on U.S. businesses and government agencies, we will continue to work with our customers, the broader security industry, law enforcement and government agencies to mitigate these threats. Companywide we are making significant investments to enhance our overall cyber security posture, including a more broad implementation of secure application development standards,” Phil Rich, CSO of Pulse Secure, said in a post.