Security Market Segment LS
Wednesday, 21 April 2021 07:49

Pulse Secure VPN device remotely exploitable due to vulnerability Featured

Pulse Secure VPN device remotely exploitable due to vulnerability Image by Gino Crescoli from Pixabay

A widely deployed SSL VPN device known as Pulse Secure Connect has been revealed to have a serious vulnerability, with a Common Vulnerability Scoring System score of 10, the maximum possible, that can be exploited remotely.

This, and three other vulnerabilities that were discovered earlier by PulseSecure, the owner of Pulse Secure Connect, are being exploited by malicious attackers, according to a blog post by security vendor FireEye.

Details of the vulnerability were released overnight by the maker of the device. A workaround was also provided, but a final patch will arrive only next month. The other three vulnerabilities that are being exploited have already been patched but the take-up of patches appears to have been very slow.

A security advisory said the vulnerability included an authentication bypass that could allow an unauthenticated user to carry out remote execution of an arbitrary file on the Pulse Connect Secure Gateway.

In a statement, Phil Richards, the chief security officer of the company, said: "The Pulse Secure team recently discovered that a limited number of customers have experienced evidence of exploit behavior on their Pulse Connect Secure appliances.

"We have discovered four issues, the bulk of which involve three vulnerabilities that were patched in 2019 and 2020: Security Advisory SA44101 (CVE-2019-11510), Security Advisory SA44588 (CVE-2020-8243) and Security Advisory SA44601 (CVE-2020-8260).

"There is a new issue, discovered this month, that impacted a very limited number of customers. The team worked quickly to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system. We will be releasing a software update in early May. Visit Security Advisory SA44784 (CVE-2021-22893) for more information."

FireEye said in its post that its Mandiant division had responded to multiple incidents involving Pulse Secure VPN appliances being compromised.

A total of 12 malware families were being tracked in connection with these compromises, the security vendor said. "These families are related to the circumvention of authentication and backdoor access to these devices, but they are not necessarily related to each other and have been observed in separate investigations. It is likely that multiple actors are responsible for the creation and deployment of these various code families."

The company said it had investigated multiple intrusions at defence, government, and financial organisations around the world earlier this year and in each case the first indications of attacker activity were traceable back to DHCP IP address ranges belonging to Pulse Secure VPN appliances in the affected environment.

"In many cases, we were not able to determine how actors obtained administrator-level access to the appliances. However, based on analysis by Ivanti [the parent company of Pulse Secure], we suspect some intrusions were due to the exploitation of previously disclosed Pulse Secure vulnerabilities from 2019 and 2020 while other intrusions were due to the exploitation of CVE-2021-22893," FireEye added.

Scott Caveza, research engineering manager at security outfit Tenable, commented: "CVE-2019-11510, which has been exploited in the wild since details became public in August 2019, was one of the top five vulnerabilities in Tenable's 2020 Threat Landscape Retrospective report because of its ease of exploitation and widespread exploitation.

"Because it is a zero-day and the timetable for the release of a patch is not yet known, CVE-2021-22893 gives attackers a valuable tool to gain entry into a key resource used by many organisations, especially in the wake of the shift to the remote workforce over the last year.

"Attackers can utilise this flaw to further compromise the PCS device, implant backdoors and compromise credentials. While Pulse Secure has noted that the zero-day has seen limited use in targeted attacks, it's just a matter of time before a proof-of-concept becomes publicly available, which we anticipate will lead to widespread exploitation, as we observed with CVE-2019-11510."

Read 1769 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News