Client Advisory: Vulnerabilities in multiple platforms

An advisory released by the NSA, CISA and FBI on 15 April warns of vulnerabilities being exploited by the Russian Foreign Intelligence Service, also known as APT29.

Cyber Advisory 2 min 29 Apr, 2021

These vulnerabilities are publicly known and are being used to scan and exploit vulnerable systems, obtain authentication credentials, and gain further access to systems.

The known vulnerabilities that SVR are exploiting are:

  • CVE-2018-13379 – FortiOS SSL VPN web portal
  • CVE-2019-9670 – Synacor Zimbra Collaboration Suite
  • CVE-2019-11510 – Pulse Secure Pulse Connect Secure VPN
  • CVE-2019-19781 – Citrix Application Delivery Controller and Gateway
  • CVE-2020-4006 – VMware Workspace ONE Access

We strongly urge all organizations to immediately patch vulnerable devices. We recommend speaking with your IT team or patch management administrators - whether in-house or a managed service provider - to ensure the relevant patches have been installed and devices are up to date.

Furthermore, CISA released an alert on April 20th 2021 regarding the exploitation of Pulse Connect Secure VPN vulnerabilities by nation-state attackers. Successful exploitation of these vulnerabilities could allow an attacker to gain persistent system access into the appliance operating the vulnerable software. The vulnerabilities being exploited in this instance are:

  • CVE-2019-11510 (as above)
  • CVE-2020-8260
  • CVE-2020-8243
  • CVE-2021-22893 (no patch currently available – mitigations available from Ivanti)

We strongly encourage organizations using Pulse Connect Secure appliances to immediately run the Pulse Secure Connect Integrity Tool available in the references below, update to the latest software version, and investigate for malicious activity.

If you have concerns about your environment and need assistance, please contact CFC’s 24/7 Incident Response team through the CFC IR mobile application, or use these phone numbers:

  • USA (local):   1 844 677 4155
  • Canada (local):   1800 607 1355
  • Australia (local):   1800 803 202
  • UK:   0800 975 3034
  • Rest of World:   +44 (0) 208 798 3134

 

References

NSA, CISA, and FBI cybersecurity advisory

https://cyber.dhs.gov/ed/21-03/

https://www.ncsc.gov.uk/news/advice-on-pulse-connect-secure-rce-vulnerability

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755