Ivanti has confirmed a Pulse Connect Secure (PCS) appliance vulnerability that China-linked hackers allegedly used to spy on the U.S. defense industry, Reuters reports. Meanwhile, FireEye's Mandiant, in the first half of 2021 responded to multiple security incidents involving Pulse Secure VPN appliance compromises.
Here's a timeline tracking the Pulse Connect Secure VPN (virtual private network) vulnerabilities, investigation and patches to mitigate the issues:
May 3, 2021: Pulse Secure released a security update to address the issue outlined in Security Advisory SA44784 (CVE-2021-22893) impacting Pulse Connect Secure appliance. The company recommended that "customers move quickly to apply the update to ensure they are protected." Source: Pulse Secure.
April 29, 2021: The U.S. Department of Homeland Security has determined that flaws in Ivanti products may have allowed hackers to breach at least five federal agencies. The DOJ and the CISA did not identify the agencies. Source: Bloomberg.
April 20, 2021: The CISA issued an emergency directive ordering federal agencies to run a tool on all devices operating Pulse Connect Secure products to check for active exploits allegedly tied to Chinese government backed operatives. Source: MSSP Alert.
Pulse Secure VPN Vulnerabilities, Patches and Mitigations: April 20, 2021 Disclosure
Here are details about the Pulse Secure VPN vulnerabilities, according to an April 20 statement from Ivanti:
- Three Patches to Apply: Ivanti has discovered four issues, the bulk of which involve three vulnerabilities that were patched in 2019 and 2020: Security Advisory SA44101 (CVE-2019-11510), Security Advisory SA44588 (CVE-2020-8243) and Security Advisory SA44601 (CVE-2020-8260). Ivanti strongly recommends that customers review the advisories and follow the recommended guidance, including changing all passwords in the environment if impacted.
- Fourth Patch Coming in May 2021: A new issue, discovered in April 2021, "impacted a very limited number of customers. Ivanti worked quickly to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system." The company will be releasing a software update in early May 2021. Visit Security Advisory SA44784 (CVE-2021-22893) for more information.
- Focused Attacks: No other Pulse Secure products are impacted by these issues, and the issues are not connected to any other security or product availability incidents, Ivanti asserts.
- Threat Discovery Tool: A new Pulse Security Integrity Checker Tool, available now, allows customers to determine if they've suffered any incidents related to the vulnerabilities.
- Customer Hotline: For customers who believe they are impacted, Ivanti is providing advanced mitigations directly to customers as outlined in this Knowledge Base. Contact +1-844-751-7629 or engage an Ivanti support representative https://support.pulsesecure.net/support/support-contacts/.
Ivanti Acquires Pulse Secure
Ivanti acquired MobileIron and Pulse Secure in September 2020 to further bolster its unified endpoint management (UEM) and mobile endpoint security. The Pulse Secure VPN appliance security issue has apparently surfaced after the M&A deal closed.
Ivanti is backed by private equity firms Clearlake Capital Group and TA Associates. Ivanti was formed in 2017 when Clearlake Capital merged LANDESK with HEAT Software.
Ironically, former Pulse Secure CEO Sudhakar Ramakrishna is now CEO of SolarWinds. Ramakrishna left Pulse Secure before the April 2021 VPN attacks were discovered, and officially started as CEO of SolarWinds after that company discovered and disclosed the massive SolarWinds Orion breach.
Blog originally published in April 2021. Updated regularly thereafter with mitigation and investigation information.