The Security Company Mandiant reports of attacks on companies using SSL VPN Appliances Pulse Connect Secure. Among other things, the attackers use a hitherto unknown safety chuck. The manufacturer Pulse Secure has published a security advisory with workarounds and faces soon updates in views that luck the cheeks.
Pulse Secure speaks of one "Authentication bybass" – So the possibility to access the login to the gerates and to justify code. Consequently, the manufacturer classifies the LUCKE CVE-2021-22893 in the highest possible level "critical" ON (CVSS 10/10). There is no patch or an error-adjusted version of the firmware yet.
Instead, PULSE Secure describes a workaround, which should secure the affected Pulse Connect Secure Appliances Temporary. This is disabled the Windows File Share Browser and Pulse Secure Collaboration. In addition, a blacklisting should lock certain URLs used for attacks. With a special tool called Pulse Connect Secure Integrity Arance, customers should also check whether their VPN appliance has already been compromised.
The LUCKE is already actively exploited. Mandiant reports of at least two different groups called UNC2630 and UNC2717, which can install 12 different malicious programs. These are backdoors in the form of webshells. The victims are found primarily in the military-industrial complex of the USA (Mandiant speaks of U.S. Defense Industrial Base); But also European organizations are affected.
The incident recalls in some way to the security swagen in Citrix VPNs (#shitrix). Also there a Zero-Day Lucke was exploited before there was patches and it succeeded in installing the attackers to install backbones. If these were not discovered while importing the patches, there was a Boses awakening later. So the Universityik Dusseldorf was fighting for months with a Erprengstrojan. So Admins should not only seal your PULSE CONNECT SECURE Appliances, but also search for unwanted legacies of potential attackers.