Threat Response - High risk vulnerability in Ivanti Secure Access VPN (previously Pulse Secure)

Our reverse engineering team found a high-risk vulnerability in Ivanti Secure Access VPN, previously known as Pulse Secure VPN, that allows an attacker to obtain administrative privileges on a system which has the VPN client software installed. This means that an attacker, who has gained access to a system can, among other things, gain unrestricted access to all data on the system and disable EDR. Ivanti released a hotfix on November 9^th that fixes the vulnerability [1]. We advise installing this hotfix and following the recommendations from Ivanti immediately, if the vulnerable software is in use. At a later stage, when there is sufficient resistance, Northwave will share the details of the vulnerability.

Description
Ivanti's Secure Access VPN, previously known as Pulse Secure VPN, is an SSL VPN solution for remote users to connect to a network from anywhere [2]. Its setup usually consists of a server in the network, and VPN client software installed on systems that connect to the server. The vulnerability exists in the VPN client software. It can be exploited by an attacker that has low privileged access to the system which the client software is installed on, by writing a malicious payload to the Secure Access VPN kernel driver. This results in kernel code execution, with which the attacker has complete and unrestricted access to the underlying hardware of a system. Similar kernel code execution vulnerabilities are actively abused by threat actor groups such as InvisiMole, which is active in cyber espionage operations in Ukraine and Russia [3].

The following versions of the software are vulnerable:

• Pulse Secure VPN version 9.1R18 and lower.
• Ivanti Secure Access version 22.6R1 and lower.

Impact
We estimate the impact of this vulnerability as high because successful exploitation could lead the attacker to execute code in the kernel of a system, for example to escalate privileges or disable defensive measures such as EDR. The confidentiality, integrity, and availability of data on the system can therefore no longer be guaranteed.

Risk
No public exploit code is currently available. However, based on the time our reverse engineering team has spent developing working exploit code, we suspect that a motivated attacker with sufficient resources could write working exploit code in a matter of days. That is why we estimate the risk of this vulnerability to be high.

What should you do?
Ivanti released a Secure Access VPN hotfix to address this vulnerability [1]. We advise installing this hotfix and following the recommendations from Ivanti immediately, if the vulnerable software is in use, to mitigate the risk.

What will Northwave do?
We have already contacted Endpoint Detection & Response customers, that have the vulnerable software component installed, to mitigate the vulnerability. Clients with our EDR service will get notified when an attacker tries to exploit the vulnerability. We will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. You can call us by phone or send us an email if you would like additional information.

E-mail: soc@northwave.nl
Do you have an incident right now? Call our CERT number: 00800 1744 0000

Disclaimer applies, see below.

Sources
[1]: https://forums.ivanti.com/s/article/Security-fixes-included-in-the-latest-Ivanti-Secure-Access-Client-Release
[2]: https://www.ivanti.com/products/connect-secure-vpn
[3]: https://web-assets.esetstatic.com/wls/2020/06/ESET_InvisiMole.pdf