Attacks Against Pulse Connect Secure (PCS) Appliances

THE THREAT

On April 20th, 2021, security services firm Mandiant released a report [1] detailing active attacks against Pulse Connect Secure (PCS) appliances. These attacks include using known vulnerabilities from 2019 and 2020 (CVE-2019-11510, CVE-2020-8243, and CVE-2020-8260) and a previously unknown authentication bypass vulnerability tracked as CVE-2021-22893. These attacks include bypassing both single and multi-factor authentication on the appliances and deployment of webshells for maintaining access.

Customers operating PCS appliances are strongly recommended to apply the relevant mitigation actions and utilize Pulse Secure’s Integrity Tool to assess impact.

What we’re doing about it

• MVS will automatically add the relevant plugins for CVE-2021-22893 once details are made available
  • Plugins are in place for previously known Pulse Secure vulnerabilities
• eSentire security teams continue to track this event for additional detection measures

What you should do about it

• Apply the official Pulse Connect Secure Patch (SA44784)
  • If patching is not possible, review and apply the workaround for CVE-2021-22893 [2]
• Patch previously known Pulse Secure security vulnerabilities including CVE-2019-11510, CVE-2020-8243, and CVE-2020-8260
• Utilize Pulse Secure’s Integrity Assurance tool to assess impact [3]
  • If impacted, notify eSentire’s Security Operations Center and follow the guidance outlined by Pulse Secure to secure the system [4]

Additional information

On April 20, 2021, Mandiant reported that previously known PCS vulnerabilities (CVE-2019-11510, CVE-2020-8243, CVE-2020-8260) and a zero-day (CVE-2021-22893) were exploited as early as August 2020, and some activity was still observed through March 2021. Pulse Secure notes that none of their other products were impacted by these issues.

Details on the zero-day vulnerability can be reviewed below:

• CVE-2021-22893 – Pulse Connect Secure RCE Vulnerability (CVSS: 10.0) [2]
  • Using unspecified vectors, a remote unauthenticated threat actor could execute arbitrary code.
  • Affected PCS versions:
    • 9.0R3 and higher

Details on previously disclosed PCS vulnerabilities used in the attacks can be reviewed below:

• CVE-2019-11510 (CVSS 10.0) [6]
  • An unauthenticated threat actor with network access via HTTPS can send a specifically crafted URI to perform an arbitrary file disclosure attack.
  • Affected PCS versions:
    • 9.0R1 to 9.0R3.3
    • 8.3R1 to 8.3R7
    • 8.2R1 to 8.2R12
• CVE-2020-8243 (CVSS: 7.2) [7]
  • An unauthenticated threat actor could upload a customer template to perform arbitrary code execution.
  • Affected PCS versions:
    • 9.1Rx and below
• CVE-2020-8260 (CVSS: 7.2) [8]
  • Using an uncontrolled gzip extraction, an unauthenticated threat could execute arbitrary code due to a vulnerability in the admin web interface.
  • Affected versions:
    • 9.1Rx and below

Mandiant reported that twelve (12) malware families were used against organizations that were victim of the PCS attacks, including: ATRIUM, HARPULSE, LOCKPICK, PACEMAKER, PULSECHECK, PULSEJUMP, QUIETPULSE, RADIALPULSE, SLIGHTPULSE, SLOWPULSE, STEADYPULSE, and THINBLOOD. However, these malware variants were not all seen being used in conjunction, and some were seen in separate investigations, including malicious activities against the U.S Defense Industrial Base (DIB) networks, and other U.S. and European victim organizations such as defense, government, and finance. The main purpose of these malware tools was to circumvent authentication and to gain backdoor access.

At the time of writing, there is no indication that the backdoors were used in a supply chain attack on Pulse Secure’s software deployment process or network. In addition, the Pulse Secure team noted that they observed a limited number of customers impacted by exploitation of PCS appliances.

References:

[1] https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
[2] https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/ (Workaround for CVE-2021-22893)
[3] https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755 (Integrity Tool Download)
[4] https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44764 (Integrity Tool FAQ)
[5] https://blog.pulsesecure.net/pulse-connect-secure-security-update/
[6] https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/ (CVE-2019-11510)
[7] https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588 (CVE-2020-8243)
[8] https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601 (CVE-2020-8260)