WIREDGOV

Advice for UK organisations using Pulse Connect Secure (PCS) VPN appliances.

FireEye has published a blog saying that APT actors are actively exploiting vulnerabilities in Pulse Connect VPN appliances.

The NCSC is aware of an unauthenticated remote code execution vulnerability affecting Pulse Connect Secure (PCS) version 9.0R3 and higher (CVE-2021-22893). Pulse Secure says it recently discovered that a limited number of customers have experienced evidence of exploit behaviour on their Pulse Connect Secure (PCS) appliances.

Pulse Secure has published a workaround that should be implemented immediately. However, Pulse have said that the workaround does not work for PCS versions 9.0R1 - 9.0R4.1 or 9.1R1-9.1R2. Therefore, an upgrade of PCS will need to be undertaken before implementing the workaround. The NCSC recommends following vendor best practice advice in the mitigation of vulnerabilities.

The workaround is a temporary measure until Pulse Connect Secure server version 9.1R.11.4 has been released. Read the Pulse Secure advisory for more information.

The NCSC strongly advises UK customers using Pulse Connect Secure VPN devices to regularly run the integrity tool checker provided by the vendor. This tool checks the integrity of the complete file system and finds any additional/modified file(s). This will help identify possible activity resulting from the exploitation of Pulse Secure Connect vulnerabilities.

The US Department of Homeland Security’s (DHS) Cybersecurity Infrastructure Security Agency (CISA) has published an Emergency Directive on this issue.

Reporting a compromise

Affected UK organisations should report any suspected compromises to the NCSC via the website.