CVE-2021-22893 is classified as a critical zero-day in Pulse Secure VPN devices, and it has been exploited by nation-state hackers in attacks against US defense, finance, and government targets. Attacks against European targets have also been observed, according to a Pulse Secure advisory.
CVE-2021-22893 Technical Overview
The zero-day allows remote code execution attacks with admin-level access to vulnerable devices. The vulnerability will be addressed in early May, and until then, affected parties can use the Pulse Connect Secure Integrity Tool to make sure their systems are safe. The tool was created with the help of Ivanti, Pulse Secure’s parent company.
The investigation the researchers carried out revealed four vulnerabilities that attackers are attempting to exploit. Three of them were fixed in 2019 and 2020. Fortunately, the new zero-day impacts a small number of customers. Nonetheless, the issue is critical, with a score 10 of 10 according to the CVSS scale. What makes the vulnerability really dangerous is the fact it can be exploited without user interaction.
Before the patch arrives, users can try the available mitigations, which involve importing a file called “Workaround-2104.xml,” which can be taken from the official advisory. The file will disable the Windows File Share Browser and Pulse Secure Collaboration features on the vulnerable device.
Another mitigation option is using the blacklisting feature to disable URL-based attacks by blocking these URIs:
^/+dana/+meeting
^/+dana/+fb/+smb
^/+dana-cached/+fb/+smb
^/+dana-ws/+namedusers
^/+dana-ws/+metric
“Mandiant is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices. These families are related to the circumvention of authentication and backdoor access to these devices, but they are not necessarily related to each other and have been observed in separate investigations. It is likely that multiple actors are responsible for the creation and deployment of these various code families,” Mandiant research revealed.
Mandiant, Ivanti, Pulse Secure, Microsoft Threat Intelligence Center, and government and law enforcement agencies continue to investigate the CVE-2021-22893 threat to develop mitigations for affected Pulse Secure VPN appliance owners.
Previous attacks exploiting VPN flaws to gain access to government networks
This is not the first case of threat actors exploiting VPN and other flaws to breach various networks. In October last year, we reported attacks combining VPN and Windows vulnerabilities that provided access to state, local, tribal, and territorial government networks.
Two specific security flaws were chained – CVE-2018-13379 and CVE-2020-1472. The first vulnerability is located in the Fortinet FortiOS Secure Socker Layer (SSL) VPN. The application is an on-premise VPN server that serves as a secure gateway for access to enterprise networks from remote locations. It is a path traversal vulnerability in the FortiOS SSL VPN web portal that could enable unauthenticated attackers to download files via specially crafted HTTP resource requests.