Security News > 2021 > May > Pulse Secure VPNs Get a Fix for Critical Zero-Day Bugs
Pulse Secure has rushed a fix for a critical zero-day security vulnerability in its Connect Secure VPN devices, which has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe.
Pulse Secure also patched three other security bugs, two of them also critical RCE vulnerabilities.
It's related to multiple use-after-free problems in Pulse Connect Secure before version 9.1R11.4, according to the advisory issued Tuesday, and "Allows a remote unauthenticated attacker to execute arbitrary code via license server web services." It can be exploited without any user interaction.
Threatpost has reached out to Pulse Secure to find out whether these bugs are also being actively exploited in the wild.
CVE-2021-22899: A command-injection bug in Pulse Connect Secure before 9.1R11.4 allows remote authenticated users to perform RCE via Windows File Resource Profiles.
April: The Department of Homeland Security urged companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, because in many cases, attackers have already exploited CVE-2019-11510 to hoover up victims' credentials - and now are using those credentials to move laterally through organizations, DHS warned.
News URL
https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/
Related news
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- Palo Alto Networks tackles firewall-busting zero-days with critical patches (source)
- Hackers exploit critical bug in Array Networks SSL VPN products (source)
- Cleo patches critical zero-day exploited in data theft attacks (source)
- Over 25,000 SonicWall VPN Firewalls exposed to critical flaws (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-05-27 | CVE-2021-22899 | Command Injection vulnerability in multiple products A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to perform remote code execution via Windows Resource Profiles Feature | 8.8 |
2019-05-08 | CVE-2019-11510 | Path Traversal vulnerability in Ivanti Connect Secure 8.2/8.3/9.0 In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability . | 10.0 |