Skip to main content

Pulse Secure Zero-Day Exploits

pulse secure zero day kwetsbaarheid

This blog contains information about the Pulse Secure vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog.

Update May 4, 2021

10:00 | A patch had been released for this vulnerability. Our advise is to patch your systems as soon as possible.

Update April 22, 2021

16:00 | The most important advise remains to run Pulse Security Integrity Checker as described in KB44755. In case the Integrity Checker finds strange behaviour, then please follow the steps described in KB44764. Tesorion strongly advises you also to change your passwords, because it is possible that these credentials could be used to gain unauthorized access to your network. We highly recommend engaging a forensic provider to help you fully understand the impact to your system.

Update April 21, 2021

11:00 | Ivanti has recently published information regarding a vulnerability in their Pulse Secure appliances. Pulse Connect Secure versions 9.0R3 and higher are impacted. By making use of this Zero-Day exploit1, an attacker can gain access to the ‘Pulse Connect Secure gateway’ and execute arbitrary code there.

Ivanti has released a file which functions as a workaround for this vulnerability.
A full patch will be released in May 2021. It is possible that vulnerable systems have already been attacked prior to the publication of the vulnerability.

Reason and background of this blog

This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.

Potential risk

The vulnerability has been reported under CVE-2021-22893. All verisons of Pulse Secure from 9.0R3 upwards are vulnerable.

When the vulnerability is successfully exploited, an attacker can gain full access to the Pulse Secure system. Attackers can also establish persistence on the system and install malware, allowing them to perform additional attacks later.

As a workaround, Pulse Secure has created an XML file which can be imported on the Pulse Secure appliance. This file disables the following functionality on the system:

  • Windows File Share Browser
  • Pulse Secure Collaboration

Additionally, URIs have been published which are related to the exploitation of the vulnerability. The following URIs can be blocked on the network for additional protection:

  • ^/+dana/+meeting
  • ^/+dana/+fb/+smb
  • ^/+dana-cached/+fb/+smb
  • ^/+dana-ws/+namedusers
  • ^/+dana-ws/+metric

When the patch becomes available in May, Ivanti recommends removing the workaround. Instructions for this are available on the security advisory page.

Detail info

Tesorion advises to implement the workarounds as soon as possible. Blocking the above URIs can offer additional protection.

Pulse Secure has published a tool to scan systems for evidence of the use of these vulnerabilities. This tool checks the integrity of the file system and finds possible added or changed files. The tool is available here:

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755

The tool is only available for versions 9.1R1+ and 8.3R7.1, it is not suitable for 9.0, this version is however vulnerable!

Background

  1. Zero-day exploits: Exploits for which no patch is available yet.

Subscribe