Vulnerability in Pulse Connect Secure actively exploited
Updated at 11.50am on 4 May 2021: Pulse Security has released updates to resolve these vulnerabilities. The advisory has been updated and includes information on how to update your appliances. You can find the link to the Pulse Security advisory in the 'More Information' section below.
CERT NZ recommends applying these updates as soon as possible.
A vulnerability has been discovered in the Pulse Connect Secure VPN that is under active exploitation. This vulnerability allows unauthenticated remote code execution on the compromised device.
A patch for this vulnerability is expected in early May. In the meantime, Pulse Secure have released a workaround that can be applied, as well a file integrity scanner to check for compromise of systems. Mandiant have also published a blog detailing tactics and indicators of compromise (IoCs) that they have observed.
This vulnerability affects Pulse Connect Secure VPN appliances from version 9.0R3 and above, including:
- Pulse Connect Secure 9.1RX
- Pulse Connect Secure 9.0RX
What this means
It's been reported that attackers are exploiting the new vulnerability to deploy web shells and employ persistence and defence evasion techniques (see the Mandiant FireEye External Link report for specific techniques).
What to look for
How to tell if you're at risk
If you run a Pulse Connect Secure VPN appliance and have not yet applied the workaround supplied by Pulse Secure.
How to tell if you're affected
Pulse Secure has released a file integrity checking tool External Link that can be run on the affected appliance to assist in the discovery of compromised devices.
What to do
CERT NZ recommends the appliance is patched as soon as Pulse Secure makes the relevant patch available, which is expected in early May.
Currently, only a workaround is available to mitigate the impact. CERT NZ recommends that until a patch is available and applied, the Workaround-2104.xml file be uploaded to the device as per Pulse Secure’s instructions in the SA44784 security advisory. External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at firstname.lastname@example.org or call the MBIE media team on 027 442 2141.