Situation Update - April 30, 2021
The Cybersecurity and Infrastructure Security Agency (CISA) has updated Alert AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities, originally released April 20. This update adds a new Detection section providing information on Impossible Travel and Transport Layer Security (TLS) Fingerprinting that may be useful in identifying malicious activity.
Original Posting - April 21, 2021
What you need to know
Is the disclosed zero day vulnerability patched? NO; the vendor is developing a patch that is expected to be released early May.
Are workarounds available? YES, including running the Pulse Connect Secure Integrity Tool.
Is this vulnerability being actively exploited? YES, along with two previously disclosed vulnerabilities.
Due to ongoing exploitation of Ivanti Pulse Connect Secure (PCS) SSL VPN vulnerabilities, CISA has issued Emergency Directive (ED) 21-03, and Alert AA21-110A. Exploitation of these vulnerabilities could allow an attacker to gain persistent system access and take control of the enterprise network operating the vulnerable PCS device.
Specifically, ED 21-03 directs federal departments and agencies to run the Pulse Connect Secure Integrity Tool on all instances of PCS virtual and hardware appliances to determine whether any PCS files have been maliciously modified or added.
According to FireEye, the investigation by Pulse Secure has determined that the exploitation of a combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021 (CVE-2021-22893) are responsible for the initial infection vector.
CISA strongly encourages organizations using Ivanti Pulse Connect Secure appliances to follow the guidance in Alert AA21-110A, which includes:
- Running the Pulse Connect Secure Integrity Tool
- Updating their Pulse Connect Secure appliance to the latest software version
- Implementing the mitigation provided by Ivanti Pulse Secure (if evidence of comprise is found)
As usual, even though Emergency Directives apply to Federal Civilian Executive Branch departments and agencies, CISA strongly recommends state and local governments, the private sector, and others to follow recommended guidance including running the Pulse Connect Secure Integrity Tool and review ED 21-03: Mitigate Pulse Connect Secure Product Vulnerabilities for additional mitigation recommendations.
For additional information regarding this ongoing exploitation, see the FireEye blog post: Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day and the CERT Coordination Center (CERT/CC) Vulnerability Note VU#213092. Access the ED, AA, and other recommended guidance at CISA.