This, and three other vulnerabilities that were discovered earlier by PulseSecure, the owner of Pulse Secure Connect, are being exploited by malicious attackers, according to a blog post by security vendor FireEye.
Details of the vulnerability were released overnight by the maker of the device. A workaround was also provided, but a final patch will arrive only next month. The other three vulnerabilities that are being exploited have already been patched but the take-up of patches appears to have been very slow.
A security advisory said the vulnerability included an authentication bypass that could allow an unauthenticated user to carry out remote execution of an arbitrary file on the Pulse Connect Secure Gateway.
The very annoying thing about this is when the first bug in Pulse came out, YOU SHOULD HAVE UNINSTALLED IT FROM YOUR NETWORK. Patching as a risk mitigation method is what screwed you here, and everyone involved should be fired. https://t.co/aU2Aiti0RC— daveaitel (@daveaitel) April 20, 2021
"We have discovered four issues, the bulk of which involve three vulnerabilities that were patched in 2019 and 2020: Security Advisory SA44101 (CVE-2019-11510), Security Advisory SA44588 (CVE-2020-8243) and Security Advisory SA44601 (CVE-2020-8260).
"There is a new issue, discovered this month, that impacted a very limited number of customers. The team worked quickly to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system. We will be releasing a software update in early May. Visit Security Advisory SA44784 (CVE-2021-22893) for more information."
FireEye said in its post that its Mandiant division had responded to multiple incidents involving Pulse Secure VPN appliances being compromised.
I don't think Pulse Secure's customers care about Ivanti's use of SolarWinds, no offense to Ivanti.— Kevin Beaumont (@GossiTheDog) April 20, 2021
I do think they care about the actively exploited zero days in their products, which isn't listed anywhere on their customer website homepage. pic.twitter.com/QZzjR4UshB
A total of 12 malware families were being tracked in connection with these compromises, the security vendor said. "These families are related to the circumvention of authentication and backdoor access to these devices, but they are not necessarily related to each other and have been observed in separate investigations. It is likely that multiple actors are responsible for the creation and deployment of these various code families."
The company said it had investigated multiple intrusions at defence, government, and financial organisations around the world earlier this year and in each case the first indications of attacker activity were traceable back to DHCP IP address ranges belonging to Pulse Secure VPN appliances in the affected environment.
"In many cases, we were not able to determine how actors obtained administrator-level access to the appliances. However, based on analysis by Ivanti [the parent company of Pulse Secure], we suspect some intrusions were due to the exploitation of previously disclosed Pulse Secure vulnerabilities from 2019 and 2020 while other intrusions were due to the exploitation of CVE-2021-22893," FireEye added.
Scott Caveza, research engineering manager at security outfit Tenable, commented: "CVE-2019-11510, which has been exploited in the wild since details became public in August 2019, was one of the top five vulnerabilities in Tenable's 2020 Threat Landscape Retrospective report because of its ease of exploitation and widespread exploitation.
"Because it is a zero-day and the timetable for the release of a patch is not yet known, CVE-2021-22893 gives attackers a valuable tool to gain entry into a key resource used by many organisations, especially in the wake of the shift to the remote workforce over the last year.
"Attackers can utilise this flaw to further compromise the PCS device, implant backdoors and compromise credentials. While Pulse Secure has noted that the zero-day has seen limited use in targeted attacks, it's just a matter of time before a proof-of-concept becomes publicly available, which we anticipate will lead to widespread exploitation, as we observed with CVE-2019-11510."