Security News > 2021 > May > Pulse Secure VPNs Get a Fix for Critical Zero-Day Bugs

Pulse Secure VPNs Get a Fix for Critical Zero-Day Bugs
2021-05-04 17:42

Pulse Secure has rushed a fix for a critical zero-day security vulnerability in its Connect Secure VPN devices, which has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe.

Pulse Secure also patched three other security bugs, two of them also critical RCE vulnerabilities.

It's related to multiple use-after-free problems in Pulse Connect Secure before version 9.1R11.4, according to the advisory issued Tuesday, and "Allows a remote unauthenticated attacker to execute arbitrary code via license server web services." It can be exploited without any user interaction.

Threatpost has reached out to Pulse Secure to find out whether these bugs are also being actively exploited in the wild.

CVE-2021-22899: A command-injection bug in Pulse Connect Secure before 9.1R11.4 allows remote authenticated users to perform RCE via Windows File Resource Profiles.

April: The Department of Homeland Security urged companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, because in many cases, attackers have already exploited CVE-2019-11510 to hoover up victims' credentials - and now are using those credentials to move laterally through organizations, DHS warned.


News URL

https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-05-27 CVE-2021-22899 Command Injection vulnerability in multiple products
A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to perform remote code execution via Windows Resource Profiles Feature
network
low complexity
pulsesecure ivanti CWE-77
8.8
2019-05-08 CVE-2019-11510 Path Traversal vulnerability in Ivanti Connect Secure 8.2/8.3/9.0
In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .
network
low complexity
ivanti CWE-22
critical
10.0