Software update and workaroundĪll four CVEs have been addressed in Pulse Connect Secure version 9.1R.11.4. Invanti has also disclosed and patched a high severity unrestricted file upload flaw (CVE-2021-22900).
The first critical vulnerability (CVE-2021-22893), an authentication bypass vulnerability, was caused by a client-side code sign verification failure, present since April 12 when “the validity of the code signing certificate expired”, whereby the certificate expiry time was checked instead of the code signing timestamp. Critical bug trioīoth scoring a near-maximum CVSS of 9.9, the newly disclosed critical bugs include a command injection vulnerability (CVE-2021-22899) that allows authenticated users to perform RCE via Windows File Resource Profiles, and a buffer overflow bug in Pulse Connect Secure Collaboration Suite (CVE-2021-22894) that allows authenticated users to execute arbitrary code through a maliciously crafted meeting room.Ĭatch up on the latest network security news “Multiple, related techniques for bypassing single and multifactor authentication on Pulse Secure VPN devices persisting across upgrades, and maintaining access through webshells,” said Mandiant. In a lengthy technical write-up analyzing the deployment of 12 malware families, FireEye-owned incident response firm Mandiant said intrusions traced back to Pulse Secure flaws had been observed against defense, government, and financial organizations in the US, Europe, and elsewhere. Ivanti CSO Phil Richards said malicious activity had been “identified on a very limited number of customer systems”. The attackers, believed to include a group – ‘UNC2630’ – linked to APT5 and the Chinese government, have also targeted three Connect Secure vulnerabilities patched in 20: CVE-2019-11510, CVE-2020-8243, and CVE-2020-8260. The advice arrived amid reports of widespread, in-the-wild exploitation by suspected state-backed threat actors. The former zero-day bug, which can lead to remote code execution (RCE) and has a maximum CVSS score of 10, was first disclosed on April 20 along with suggested mitigations. Organizations that use Connect Secure, described by parent company Ivanti as the most widely used SSL VPN, were urged to update their systems immediately in a security advisory dropped yesterday (May 3). System updates urgent amid exploitation by nation-state attackersĪn actively exploited zero-day vulnerability in Pulse Connect Secure VPN appliances has been patched together with another pair of newly disclosed critical flaws.