Ivanti Issues Software Update to Resolve Flaw in Pulse Connect Secure VPN
Ivanti has released a software update to resolve the recently disclosed zero-day authentication bypass vulnerability affecting the Pulse Connect Secure VPN software.
The software update addresses a security flaw tracked as CVE-2021-22893, which cyber actors are currently exploiting to gain access to compromised devices.
The patch is the only known solution to remediate the issue, Health IT Security reported Tuesday.
Three other vulnerabilities associated with the VPN software–CVE-2019-11510, CVE-2020-8260 and CVE-2020-8243–were patched in 2019 and 2020 but not all organizations have applied the updates.
Citing persistent attacks on U.S. businesses and agencies, the Pulse Secure team vowed to continue working with customers, the broader security industry, law enforcement and government agencies to mitigate security threats.
Active exploitations of the vulnerabilities have affected government agencies, private sector networks and critical infrastructure agencies.
Cyber actors that have successfully exploited the flaw are able to place webshells onto devices operating the vulnerable software. Webshells are pieces of code that hackers can use to perform authentication bypass, multi-factor authentication bypass and password logging.
The VPN flaw has been acknowledged by the Cybersecurity and Infrastructure Security Agency.
Upon learning of the exploitation of the vulnerability, CISA issued an emergency directive instructing affected agencies to use the Pulse Connect Secure Integrity Tool to check the integrity of their file systems and search for additional or modified files. Agencies were directed to run the tool on a daily basis while waiting for a software update.
Tags: CISA cybersecurity Cybersecurity and Infrastructure Security Agency Health IT Security Ivanti patch Pulse Connect Secure VPN software update vulnerability webshells