Zero-trust VPN provider Pulse Secure disclosed an authentication bypass zero-day on Tuesday for its Pulse Connect Secure (PCS) SSL-VPN devices. The vulnerability is rated Critical, but with no patch yet available.
Mitigation is currently accomplished with a workaround. Administrators of PCS systems should perform the workaround and follow detection steps to determine compromise.
US-CERT/CISA, as well as research/breach response firm Mandiant, have also released advisories with claims that this new vulnerability (CVE-2021-22893) may be chained together with the following vulnerabilities (possibly by multiple threat actor groups) in order to compromise the VPN server and steal VPN user credentials in order to further compromise the victim:
- CVE-2019-11510
- CVE-2020-8260
- CVE-2020-8243
What is the nature of the vulnerability?
In an out-of-cycle advisory Tuesday, Pulse Secure detailed a critical vulnerability in its SSL-VPN device software that allows authentication bypass in a number of ways.
In a blog post, Mandiant noted they are tracking 12 malware families associated with exploits for the Pulse Secure VPN devices, following several incidents of compromise earlier this year that until now had no clear determination of how attackers gained admin-level access. Targets included organizations in defense, government, and financial sectors.
The vulnerability has now been identified by Pulse Secure as CVE-2021-22893, an authentication bypass in Pulse Connect Secure, the zero-trust gateway that stands between the authentication mechanism and protected assets.
The initial attack uses a chain of vulnerabilities to harvest credentials then traverse the network laterally using legitimate account credentials.
Persistence was achieved by modifying legitimate binaries and scripts on the appliance as well as writing web shells to the appliance itself.
Slowpulse
Security researchers FireEye uncovered what they call a “novel malware family” during their investigation, dubbing it “SLOWPULSE.” The malware and its multiple variants are modifications to legitimate Pulse Secure files to bypass or log credentials in authentication flows in Pulse Secure shared object libdsplibs.so
.
The variants are:
- SLOWPULSE Variant 1
Bypasses LDAP and RADIUS-2FA routines if a secret backdoor password is provided by the attacker. - SLOWPULSE Variant 2
ACE Two Factor Auth Credential Logging – during ACE-2FA procedure, it logs username and password to a file. - SLOWPULSE Variant 3
ACE Two Factor Auth Bypass – totally bypasses the ACE-2FA login procedure. Attacker can spoof successful authentication. - SLOWPULSE Variant 4
RealmSignin Two Factor Auth Bypass – procedure is modified to spoof successful authentication
What’s at risk?
Breach and compromise of a VPN exposes an organization’s network to subsequent attacks which can result in the full gamut of damage including credential harvesting, data exfiltration, vandalism, and malicious repurposing of infrastructure.
Affected versions
- Pulse Connect Secure 9.0RX
- Pulse Connect Secure 9.1RX
What can I do to protect against this vulnerability?
Pulse Secure states that the patching solution is to upgrade to version 9.1R.11.4, but as of yet there is no timeline for release. They have outlined a workaround to address the initial attack vector by blacklisting the URL-based attack.
Follow the instructions in the Pulse Secure Knowledge Base article found here:
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/
How can I determine if SSL-VPN has been compromised?
Pulse Secure believes that at this time, only a select few organizations have been targeted. They’ve made available the Ivanti Integrity Checker Tool which will verify no changes have been made to the file system on the VPN device.
They recommend:
- Using the Integrity Checker Tool to scan for file system changes: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755
- Reviewing logs for unusual authentications
FireEye/Mandiant additionally covers multiple indicators in their blog that can be searched for (if the proper logging was enabled), including correlating LDAP or RADIUS logs with VPN server logs.
Failures in LDAP/RADIUS with successes in VPN logs may indicate a compromised VPN user account via this attack.
- Updating with latest security enhancements from March 31
If the VPN device is impacted, we recommend that organizations who think they have been compromised with this attack chain initiate incident response and forensics procedures immediately and begin a password reset for all users with Pulse Secure VPN access.
Activity on other endpoints via established VPN connections with users who logged in post-compromise should be thoroughly investigated.
Still have questions?
Contact your SOC Lead, or call the Novacoast SOC at (866) 863-9575 to speak with our briefed technicians who can advise and assist you.
Resources
CISA Alert
https://us-cert.cisa.gov/ncas/alerts/aa21-110a
Pulse Secure Advisory
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/
Pulse Secure Knowledge Base Article
https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755
FireEye comprehensive writeup
https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
ZJ