Vulnerability in Pulse Connect Secure actively exploited

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

10:45am, 21 April 2021

TLP Rating: Clear

Vulnerability in Pulse Connect Secure actively exploited

Updated at 11.50am on 4 May 2021: Pulse Security has released updates to resolve these vulnerabilities. The advisory has been updated and includes information on how to update your appliances. You can find the link to the Pulse Security advisory in the 'More Information' section below.

CERT NZ recommends applying these updates as soon as possible.

-----

A vulnerability has been discovered in the Pulse Connect Secure VPN that is under active exploitation. This vulnerability allows unauthenticated remote code execution on the compromised device.

A patch for this vulnerability is expected in early May. In the meantime, Pulse Secure have released a workaround that can be applied, as well a file integrity scanner to check for compromise of systems. Mandiant have also published a blog detailing tactics and indicators of compromise (IoCs) that they have observed.

What's happening

Systems affected

This vulnerability affects Pulse Connect Secure VPN appliances from version 9.0R3 and above, including:

  • Pulse Connect Secure 9.1RX
  • Pulse Connect Secure 9.0RX

What this means

It's been reported that attackers are exploiting the new vulnerability to deploy web shells and employ persistence and defence evasion techniques (see the Mandiant FireEye External Link report for specific techniques).

What to look for

How to tell if you're at risk

If you run a Pulse Connect Secure VPN appliance and have not yet applied the workaround supplied by Pulse Secure.

How to tell if you're affected

Pulse Secure has released a file integrity checking tool External Link that can be run on the affected appliance to assist in the discovery of compromised devices.

What to do

Prevention

CERT NZ recommends the appliance is patched as soon as Pulse Secure makes the relevant patch available, which is expected in early May.

Mitigation

Currently, only a workaround is available to mitigate the impact. CERT NZ recommends that until a patch is available and applied, the Workaround-2104.xml file be uploaded to the device as per Pulse Secure’s instructions in the SA44784 security advisory. External Link

More information

Pulse Secure SA44784 Security Advisory External Link

Pulse Connect Secure File Integrity Tool External Link

Mandiant FireEye Blog External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384