Pulse Secure has released a new patch for its Connect Secure virtual private network (VPN) products to fix a critical RCE vulnerability.
Pulse Secure VPNs are widely used worldwide, so much so that entire malware families have been created to take advantage of any available vulnerability. The company has to fix these problems quickly, and that means closing any critical exploits.
The latest vulnerability the company closed is actually a follow-up to a previous incomplete patch that dealt with the same type of problem.
“The Pulse Connect Secure appliance suffers from an uncontrolled archive extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in Remote Code Execution as root,” said the NCC Group, the researchers who discovered the issue. “This vulnerability is a bypass of the patch for CVE-2020-8260.”
Exploitation of this vulnerability would have let attackers obtain root privileges, circumvent restrictions enforced via the web application, and remount the file system, allowing them to create a persistent backdoor, extract and decrypt credentials, compromise VPN clients or pivot into the internal network.
Pulse Secure fixed the previous vulnerability in the chain in October 2020. Not surprisingly, CVE-2020-8260 was exploited in the wild, to the point where CISA even issued its own advisory. Attackers exploited those vulnerabilities even though the vendor issued a patch. Many users didn’t apply it.
“The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence,” said the agency. “The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.”
Users have been urged to apply the latest patch as soon as possible. Attackers may soon use this vulnerability in their campaigns, just like they did before, counting on the fact that there will always be some customers who don’t update their systems quickly enough.