Critical zero-day vulnerability in Pulse Secure and SonicWall products

21.04.2021 - On the 20th April, security researchers have published information about several vulnerabilities in two Security-Products, affecting Pulse Secure and SonicWall. Current information shows that these vulnerabilities are already actively being exploited by unknown threat actors in targeted attacks, used to gain access to victim’s network (zero day exploitation). 

The following products are affected:

Vendor: SonicWall

Product: SonicWall Email Security (ES)

Vulnerabilities:
CVE-2021-20021        Unauthorized administrative account creation
CVE-2021-20022        Post-authentication arbitrary file upload
CVE-2021-20023        Post-authentication arbitrary file read

NCSC recommends organizations using this product to apply the most recent security update (hotfix 10.0.9.6173 or 10.0.9.6177) as soon as possible.

Further information about the referenced vulnerabilities are available here:
https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/


Vendor: Pulse Secure

Product: Pulse Connect Secure

Vulnerability:
CVE-2021-22893        Remote Code Execution (RCE)

Unfortunately, no security-update is available yet for the said vulnerability in Pulse Connect Secure. However, the vendor has published a workaround. NCSC recommends organizations using this product to deploy the workaround as soon as possible:
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/

In addition, NCSC recommends to run the “Pulse Connect Secure Integrity Tool” on affected devices to ensure the integrity of such:
https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755

In addition, the NCSC would like to outline that similar vulnerabilities have been used by threat actors in the past month to attack corporate networks, deploy ransomware on such and exfiltrate large amount of corporate data that was then being used to blackmail the victim organization. NCSC therefore rates these vulnerabilities as “critical”.

In general, NCSC makes the following recommendations regarding remote access such as VPN, Citrix or web mail:

  • Make use of two factor authentication (2FA) for remote access. Logins based on a single factor (username and password) must be technically disabled.
  • Devices must be configured in that way that both, successful and unsuccessful authentication attempts are being logged (logging)

 

Last modification 21.04.2021

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/pulse-secure-sonicwall.html