Patch Issued for Critical Vulnerability in Pulse Connect Secure VPNs
Ivanti Pulse Secure announced a patch on Monday for a "Critical"-rated vulnerability (CVE-2021-22893) in its Pulse Connect Secure VPN appliances.
The release follows up on Pulse Secure's pledge to deliver a fix for the vulnerability in "early May." It addresses a remote code execution vulnerability on the Pulse Connect Secure gateway that was rated "10" on the Common Vulnerability Scoring System scale.
Pulse Secure had issued Security Advisory SA44784 regarding the vulnerability back on April 20. At that time, the company indicated it was providing "mitigations directly to the limited number of impacted customers," prior to the arrival of a patch.
The company credited collaborations with the U.S. Cybersecurity and Infrastructure Security Agency, the Mandiant/FireEye security solutions firm and Stroz Friedberg for getting the patch out "in such short order." The Cybersecurity and Infrastructure Security Agency also noted the patch's release in this Monday advisory.
Organizations using the Pulse Connect Secure gateway should "move quickly to apply the update to ensure they are protected," Pulse Secure's Monday announcement urged. Also recommended was the use of the Pulse Security Integrity Checker Tool, which can help Pulse Secure customers "identify malicious activity on their systems."
CVE-2021-22893 is just one of four prominent vulnerabilities found in the Pulse Connect Secure gateway over the past year or so. This latest one was being exploited by advanced persistent threat groups to install Webshells, according to analysis by Mandiant/FireEye.
In response, Pulse Secure is planning to tighten its application development standards, according to CSO Phil Richards.
"Companywide we are making significant investments to enhance our overall cyber security posture, including a more broad implementation of secure application development standards," Richards indicated in the announcement.
VPN maker Pulse Secure was acquired last year by Ivanti, a producer of security and IT management solutions.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.