{"id":8665,"date":"2021-05-21T06:16:56","date_gmt":"2021-05-21T13:16:56","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?post_type=patch_watch&p=8665"},"modified":"2023-03-03T14:19:28","modified_gmt":"2023-03-03T21:19:28","slug":"patch-watch-csw-analysis-of-pulse-secure-vulnerabilities","status":"publish","type":"patch_watch","link":"https:\/\/webdev.securin.xyz\/patch_watch\/patch-watch-csw-analysis-of-pulse-secure-vulnerabilities\/","title":{"rendered":"Patch Watch: CSW Analysis of Pulse Secure Vulnerabilities"},"content":{"rendered":"
\n

Did you know Chinese-state hackers have breached five federal agencies by leveraging Pulse Secure vulnerabilities?<\/a><\/strong><\/span><\/p>\n<\/blockquote>\n

{Update}:<\/strong>\u00a0 Pulse Secure has issued an emergency patch<\/a> for six vulnerabilities in Pulse Connect Secure (PCS) system software. These vulnerabilities have Remote Code Execution capabilities and have CVSS v3 scores ranging from 7.6 to 9.1 (high to critical). Researchers have confirmed that these vulnerabilities are a bypass of the patch for CVE-2020-8260 which was fixed back in October 2020, albeit, ineffectively. Hence, we encourage all Pulse Secure users to update to the latest version of 9.1R12.<\/p>\n

On April 15th, CISA <\/a>issued an alert to organizations about Pulse Secure vulnerabilities being used to disrupt critical services in the United States. In a joint statement, organizations such as the NSA, FBI, and CISA called out five vulnerabilities. One was a popular weakness in Pulse Secure and was discovered in 2019. Till date, 388 devices worldwide are vulnerable to this weakness. Check out more about this in our blog here<\/a>.<\/p>\n

New Vulnerability Found in Pulse Connect Secure:\u00a0<\/strong><\/h2>\n

On May 14, 2021 a high severity vulnerability (CVE-2021-22908<\/a>) was identified in Pulse Connect Secure with a buffer overflow weakness, which allows an attacker to execute code as a user with root privileges. This vulnerability affects PCS versions 9.0Rx and 9.1Rx and has been accredited a CVSS V3 score of 8.5. To resolve this situation, Pulse Secure has issued an out-of-cycle patch<\/a> and a workaround<\/a> to mitigate the affected versions.<\/p>\n

In this Patch Watch edition, CSW researchers analyzed 93 security vulnerabilities in 16 Pulse Secure products and spotlight what weaknesses need to be addressed immediately and why.<\/p>\n

\"\"<\/p>\n

Weaponized Vulnerabilities<\/strong><\/h2>\n

Remote Code Execution (RCE) is the most severe type of vulnerability as they allow threat actors to remotely deploy code leading to the execution of additional malware payloads. We identified three CVEs as RCE bugs (CVE-2019-11510, CVE-2019-11539, CVE-2020-8260) with a CVSS V3 score ranging from 6.5 – 10 (high – critical), and one CVE has PE capabilities with a CVSS V3 score of 1.9 (low).<\/p>\n

CVE-2019-11510 that exists in Pulse Connect Secure with a CVSS V3 score of 10 (critical) was found to be trending lately. This arbitrary file reading vulnerability is capable of enabling unauthenticated threat actors to access private keys and user passwords. Interestingly we red-flagged this vulnerability in our Cyber Risk in VPNs<\/a> in 2020.<\/p>\n

CVE-2019-11510, CVE-2019-11507,\u00a0 and CVE-2019-11539 are connected to five ransomware strains (Sekhmet, Mailto, Maze, Sodinokibi, Black Kingdom) and 14 APT Groups (TA2101, APT1, APT29, Anonymous, AnonSec, FIN6, Pinchy Spider, GOLD SOUTHFIELD, APT29, APT33, APT34, APT39, APT41, APT5) leading to hijack of a system or remote tampering into critical organizations.<\/p>\n

Severity Scores<\/strong><\/h2>\n

\"\"<\/p>\n

Old Vulnerabilities<\/strong><\/h2>\n

99% of the vulnerabilities are older weaknesses ranging from the year 2016 \u2013 2020. All the seven weaponized vulnerabilities are old weaknesses. Therefore, patching these vulnerabilities on priority is essential.<\/p>\n

\"\"<\/p>\n

Zero-Days<\/strong><\/h2>\n

A recent zero-day (CVE-2021-22893<\/a>) found in Pulse Connect Secure product, got the CVSS V3 score of 10 (critical), is being actively exploited in the wild by hackers. We urge Pulse Secure VPN users to patch<\/a> this newly disclosed vulnerability that allows an unauthenticated user to perform remote arbitrary file execution on the Pulse Secure Connect gateway.<\/p>\n

CISA Alerts<\/strong><\/h2>\n

11 CVEs have been red-flagged by CISA and worryingly, two CVEs in Pulse Connect Secure plus and one CVE in Steel-Belted Radius remain unpatched, and seven CVEs are marked as high severity.<\/p>\n

On 21 July 2021, CISA has issued an alert<\/a> disclosing their findings on 13 malware samples <\/a>related to exploited Pulse Secure devices.<\/p>\n

CWE Analysis<\/strong><\/h2>\n

Based on Common Weakness Enumeration, 17 CVEs have been categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) – a weakness category that ranks number 1 CWE on MITRE\u2019s Top 25 dangerous CWEs.<\/p>\n

\"\"<\/p>\n