On April 20, 2021, Ivanti disclosed that a new remote code execution (RCE) vulnerability has been actively exploited in their Pulse Connect Secure VPN product. Assigned as CVE-2021-22893, this vulnerability allows an attacker to bypass authentication to perform unauthorized arbitrary code execution. CVE-2021-22893 affects Pulse Connect Secure versions 9.0r3 and higher and has a CVSS 3.1 score of 10 ꟷ Critical.
Ivanti has released a patch that addresses this vulnerability. For more information, refer to Recommendations for Mitigation.
Alert Logic’s IT and cloud platform are not affected by this vulnerability.
There is currently very little public information on what the specific vulnerability is or how it works. Ivanti’s Security Advisory for CVE-2021-22893 as a vulnerability within Pulse Connect Secure states that it allows for unauthenticated RCE “via unspecified vectors.” According to an alert published by Cybersecurity and Infrastructure Security Agency (CISA):
“To gain initial access, the threat actor is leveraging multiple vulnerabilities, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and the newly disclosed CVE-2021-22893. The threat actor is using this access to place web shells on the Pulse Connect Secure appliance for further access and persistence. The known web shells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.”
Additionally, Mandiant and FireEye have published a report stating they have observed multiple actors using CVE-2021-22893 to deploy malware:
“In many cases, we were not able to determine how actors obtained administrator-level access to the appliances. However, based on analysis by Ivanti, we suspect some intrusions were due to the exploitation of previously disclosed Pulse Secure vulnerabilities from 2019 and 2020, while other intrusions were due to the exploitation of CVE-2021-22893.”
Alert Logic Coverage
Vulnerability Scanning: Alert Logic has released SNMP authenticated scan coverage to identify vulnerable assets.
Network IDS: Alert Logic will be deploying community-sourced IDS signatures. As more information is made available, Alert Logic will review to develop additional coverage.
Web Application Firewall: Alert Logic has released virtual patches for Web Security Manager that enforce the URI blocks recommended by Pulse Secure.
Log Management: Alert Logic has deployed log-based telemetry for known attack indicators and is actively researching additional detection options.
Recommendations for Mitigation
Ivanti has released patch 9.1 R11.4 for this vulnerability. Because the vulnerability is actively being exploited, it is highly recommended to install this update immediately to protect against this attack.
Note: If you have applied the previous workaround, please remove it after applying the 9.1 R11.4 release fix with the following steps:
- Import the attached file remove-workaround-2104.xml (found in the same download location as the Workaround-2104.xml download).
- Restore the previous settings for "Files, Windows" and "Meetings."
This section will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click the FOLLOW button at the top of the article. You must be signed into the Support Center using your Alert Logic product credentials to follow this article.
04/26/2021: On April 26, 2021, Alert Logic released unauthenticated scan coverage for previous and current Pulse vulnerabilities. Scans that are executed will now report these vulnerabilities.
04/27/2021: On April 27, 2021, Alert Logic released virtual patches for Web Security Manager that enforce the URI blocks recommended by Pulse Secure.
05/03/2021: On May 03, 2021, Ivanti released patch 9.1 R11.4 to resolve this vulnerability.