Pulse Connect Secure remote access vulnerability | Traficom
Skip to main content
National Cyber Security Center
Report incidents
Report incidents
Report incidents

Pulse Connect Secure remote access vulnerability

April 22, 2021 at 16:44

On 20 April 2021, Pulse Secure released an out-of-cycle mitigation tool regarding a critical remote access vulnerability. The vulnerability must be addressed immediately, as it is being actively exploited.

The vulnerability is present in the 9.0R3 and later versions of Pulse Connect Secure. The vulnerability enables attackers to execute an arbitrary malware code on the Pulse Connect Secure gateway. While no patches for the vulnerability have yet been made available, Pulse Secure has published instructions for mitigating it on its website. 

The vulnerability, which is known as CVE-2021-22893, has been rated CVSS 10.0 (critical) in severity.

We recommend that users of the Pulse Secure VPN check it for signs of a breach. This should be done using the integrity tool provided by Ivanti Product Systems (parent company of Pulse Secure), which finds any additional or modified files. If such files are found, a breach has likely taken place. The tool can be downloaded from the Pulse Secure website.

If there is reason to believe that a data breach has taken place, it must be investigated immediately. Webshell backdoors have been placed on breached Pulse Secure VPN appliances. Signs of the backdoors may be found by examining the log data of the Pulse Secure VPN appliance’s web server, particularly for suspicious HTTP POST traffic. We also recommend that users check new or modified files in the /webserver/htdocs/dana-na/ directory of the Pulse Secure VPN appliance's web server and its subdirectories for malicious content.

Please notify the National Cyber Security Centre Finland of all observations related to the vulnerability.

Workstations and end-user applications

Vulnerabilities in workstations and in applications for ordinary users often concern a considerable amount of users. Target can be, for example, the Windows operating system or a word processor. The difference between server applications and end-user applications is sometimes indeterminate, for example the same operating system can be used both in the server and the workstation.

Servers and server applications

Vulnerabilities in servers and server software concern providers of electronic services, among others. Typical targets are operating systems of servers, as well as web or e-mail server software, such as SunOS, Linux, Apache, IIS or Sendmail.

Remote

A remotely performed attack can be implemented via an information network connection or similar without accessing the targeted system.

No user interaction required

An attack that is performed without actions from the user is directly targeted at the vulnerability without any actions required from the system user for the attack to be successful. For example, the user does not have to browse websites or start a computer program. The attack can be performed without the user's help.

Execution of arbitrary commands

A vulnerability that enables the execution of arbitrary commands must be considered serious because it means that the person utilising the vulnerability can use the targeted system just like an ordinary user of the system. It can also lead to that the attacker who has hacked into the system can via a network upload and execute own software in the system.

Security bypass

Security bypass means that by exploiting a vulnerability, the protection intended for restricting the use of the system is bypassed, for example, by directing traffic pass the firewall to a protected network.

In the wild

Software update patch

Normally, hardware or software manufacturers publish a new version or a partial update for a software or operating system soon after the vulnerability has become public. The update can be available at the same time as the vulnerability is published, but often the users have to wait for the update.

Restriction of the problem

Although an actual vulnerability patch is not always available, the vulnerability's effects can usually be limited, for example, by temporarily refraining from the use of a certain feature or by restricting the network traffic to the target system in a suitable manner.