Pulse Secure April Attack

By Anonymous -

Pulse Connect Secure vulnerability CVE-2021-22893 and other old vulnerabilities are being actively exploited.

While GRIMM engineers were not able to obtain a device or the firmware for a full analysis, the device in question looks like a Linux-based rack-mounted server that sits inside the firewall and mediates all kinds of access for clients accessing it via a web interface. Based on the available information, it appears weaknesses in the web application within the device have been the root of multiple problems, including the most recent vulnerability.

Takeaway

This was not a supply chain attack, this was a sophisticated actor becoming intimately familiar with a target and exploiting it persistently, continuing to find new vulnerabilities and tailoring their malware to blend in with the software. The signs are subtle but detectable: changes in hashes on the device, strange authentication behavior appearing in logs, small changes in network traffic such as new HTTP verbs and extra parameters being used. The attackers display impressive knowledge of the system in order to sustain persistent access, but they aren't invisible and omniscient. They would have been caught by something as routine as comparing binaries on the device to known configurations, though that's something the device appears to not allow users to do easily. The attackers employed log-cleaning tools after they gained access, but logging to a centralized server may have allowed defenders to notice the initial or successive access attempts.

Recommendation

Internet-facing network devices must be understood and their behavior logged and tracked centrally. Any device or service with high levels of administrative privilege or purview over an enterprise network should be heavily scrutinized. Security assessments will help increase confidence a device is not trivially exploitable, but sophisticated actors may still be able to find new vulnerabilities. A layered defense-in-depth strategy is the best protection, and devices should not be treated as black boxes whose behaviors and characteristics are only known and understood by the developers of the device.

Bug Details

From SA44784: This vulnerability includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway.

PCS 9.0R3 and up (Fixed in 9.1R.11.4)

  • Using the blacklisting feature to disable the "URL-Based Attack"
  • CVE-2021-22893 can be mitigated by importing the Workaround-2104.xml file.
    • Disables "Windows File Share Browser" and "Pulse Secure Collaboration"
    • Workaround-2014.xml does not work 9.0R1 - 9.0R4.1 or 9.1R1-9.1R2. If your PCS is running one of these versions, upgrade before doing the import
    • The workaround is not recommended for a license server. We recommend minimizing who can connect to a license server. For example, place a license server on a management VLAN, or have a firewall enforce source-IP restrictions.

Attacks

Attackers seen exploiting four vulnerabilities, only the last one is new:

  1. CVE-2019-11510 / SA44101 - Unauthenicated remote file access https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
  2. CVE-2020-8243 / SA44588 - Unauth RCE in admin web interface https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588
  3. CVE-2020-8260 / SA44601 - Authenticated RCE via uncontrolled gzip extraction https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601
  4. CVE-2021-22893 / SA44784 https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784

Note that the Pulse Secure security advisories contain multiple vulnerabilities nested under each and include a litany of web bugs (XXE, XSS, cookie injection, zip slip, URL sanitization problems, SSRF). Primary commonality is the web admin interface.

Recommendations from Pulse Secure on what administrators can do:

  • Check the logs for unusual authentication requests
  • Log unauthenticated requests via a "Unauthenticated Request option" that is off by default
  • Disable admin access from the external port, which is the default setting

Popular posts from this blog

New Old Bugs in the Linux Kernel

By Anonymous -
Image
  Introduction Dusting off a few new (old) vulns Have you ever been casually perusing the source code of the Linux kernel and thought to yourself "Wait a minute, that can’t be right"? That’s the position we found ourselves in when we found three bugs in a forgotten corner of the mainline Linux kernel that turned out to be about 15 years old. Unlike most things that we find gathering dust, these bugs turned out to still be good, and one turned out to be useable as a Local Privilege Escalation (LPE) in multiple Linux environments. Who you calling SCSI? The particular subsystem in question is the SCSI (Small Computer System Interface) data transport, which is a standard for transferring data made for connecting computers with peripheral devices, originally via a physical cable, like hard drives. SCSI is a venerable standard originally published in 1986 and was the go-to for server setups, and iSCSI is basically SCSI over TCP. SCSI is still in use today, especially
Read more

Automated Struct Identification with Ghidra

By Anonymous -
Image
At GRIMM, we do a lot of vulnerability and binary analysis research. As such, we often seek to automate some of the analysis steps and ease the burden on the individual researcher. One task which can be very mundane and time consuming for certain types of programs (C++, firmware, etc), is identifying structures' fields and applying the structure types to the corresponding functions within the decompiler. Thus, this summer we gave one of our interns,  Alex Lin , the task of developing a Ghidra plugin to automatically identify a binary's structs and mark up the decompilation accordingly. Alex's writeup below describes the results of the project, GEARSHIFT, which automates struct identification of function parameters by symbolically interpreting Ghidra's P-Code to determine how each parameter is accessed. The Ghidra plugin described in this blog can be found in our GEARSHIFT repository . Background Ghidra is a binary reverse engineering tool developed by the National Sec
Read more

SOHO Device Exploitation

By Anonymous -
Image
Netgear R7000 SOHO Device Exploitation After a long day of hard research, it’s fun to relax, kick back, and do something easy. While modern software development processes have vastly improved the quality of commercial software as compared to 10-15 years ago, consumer network devices have largely been left behind. Thus, when it’s time for some quick fun and a nice confidence boost, I like to analyze Small Office/Home Office (SOHO) devices. This blog describes one such session of auditing the Netgear R7000 router , analyzing the resulting vulnerability, and the exploit development process that followed. The write-up and code for the vulnerability described in this blog post can be found in our NotQuite0DayFriday repository. Initial Analysis The first step when analyzing a SOHO device is to obtain the firmware. Thankfully, Netgear’s support website hosts all of the firmwares for the R7000. The Netgear R7000 version 1.0.9.88 firmware used in this blog post can be downloaded from this web
Read more