Security Market Segment LS
Wednesday, 21 April 2021 07:49

Pulse Secure VPN device remotely exploitable due to vulnerability Featured

By
Pulse Secure VPN device remotely exploitable due to vulnerability Image by Gino Crescoli from Pixabay

A widely deployed SSL VPN device known as Pulse Secure Connect has been revealed to have a serious vulnerability, with a Common Vulnerability Scoring System score of 10, the maximum possible, that can be exploited remotely.

This, and three other vulnerabilities that were discovered earlier by PulseSecure, the owner of Pulse Secure Connect, are being exploited by malicious attackers, according to a blog post by security vendor FireEye.

Details of the vulnerability were released overnight by the maker of the device. A workaround was also provided, but a final patch will arrive only next month. The other three vulnerabilities that are being exploited have already been patched but the take-up of patches appears to have been very slow.

A security advisory said the vulnerability included an authentication bypass that could allow an unauthenticated user to carry out remote execution of an arbitrary file on the Pulse Connect Secure Gateway.

In a statement, Phil Richards, the chief security officer of the company, said: "The Pulse Secure team recently discovered that a limited number of customers have experienced evidence of exploit behavior on their Pulse Connect Secure appliances.

"We have discovered four issues, the bulk of which involve three vulnerabilities that were patched in 2019 and 2020: Security Advisory SA44101 (CVE-2019-11510), Security Advisory SA44588 (CVE-2020-8243) and Security Advisory SA44601 (CVE-2020-8260).

"There is a new issue, discovered this month, that impacted a very limited number of customers. The team worked quickly to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system. We will be releasing a software update in early May. Visit Security Advisory SA44784 (CVE-2021-22893) for more information."

FireEye said in its post that its Mandiant division had responded to multiple incidents involving Pulse Secure VPN appliances being compromised.

A total of 12 malware families were being tracked in connection with these compromises, the security vendor said. "These families are related to the circumvention of authentication and backdoor access to these devices, but they are not necessarily related to each other and have been observed in separate investigations. It is likely that multiple actors are responsible for the creation and deployment of these various code families."

The company said it had investigated multiple intrusions at defence, government, and financial organisations around the world earlier this year and in each case the first indications of attacker activity were traceable back to DHCP IP address ranges belonging to Pulse Secure VPN appliances in the affected environment.

"In many cases, we were not able to determine how actors obtained administrator-level access to the appliances. However, based on analysis by Ivanti [the parent company of Pulse Secure], we suspect some intrusions were due to the exploitation of previously disclosed Pulse Secure vulnerabilities from 2019 and 2020 while other intrusions were due to the exploitation of CVE-2021-22893," FireEye added.

Scott Caveza, research engineering manager at security outfit Tenable, commented: "CVE-2019-11510, which has been exploited in the wild since details became public in August 2019, was one of the top five vulnerabilities in Tenable's 2020 Threat Landscape Retrospective report because of its ease of exploitation and widespread exploitation.

"Because it is a zero-day and the timetable for the release of a patch is not yet known, CVE-2021-22893 gives attackers a valuable tool to gain entry into a key resource used by many organisations, especially in the wake of the shift to the remote workforce over the last year.

"Attackers can utilise this flaw to further compromise the PCS device, implant backdoors and compromise credentials. While Pulse Secure has noted that the zero-day has seen limited use in targeted attacks, it's just a matter of time before a proof-of-concept becomes publicly available, which we anticipate will lead to widespread exploitation, as we observed with CVE-2019-11510."


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments