Security networking vendors SonicWall and Pulse Secure have both issued urgent alerts to customers regarding active zero-day attacks exploiting vulnerabilities in their products.
SonicWall 3 zero-day vulnerabilities
SonicWall has patched three zero-day vulnerabilities that affect their Email Security product. When chained together the vulnerabilities could allow an attacker to create a new administrator account on the system and then use it to load or read arbitrary files onto the target server. (CVE-2021-20021, CVE-2021-20022, CVE-2021-20023).
SonicWall has issued a security advisory that warns users:
In at least one known case, these vulnerabilities have been observed to be exploited ‘in the wild.’ It is imperative that organizations using SonicWall Email Security hardware appliances, virtual appliances or software installation on Microsoft Windows Server immediately upgrade
The vulnerabilities were first spotted being exploited in the wild by researchers at Mandiant security who observed attackers leveraging the vulnerability to install a backdoor into the target network, access files and emails and then move laterally within the network.
Pulse Secure VPN Zero day exploited by 12 malware families
The team at Mandiant also reports on a new zero-day exploit affecting Pulse Secure VPN software. The vulnerability with a critical CVSS score of 10 allows an unauthenticated attacker to execute arbitrary code on the Pulse Connect Secure server which, being a VPN end point, is necessarily exposed to the Internet.
The security advisory from Pulse Secure warns that the vulnerability poses a ‘significant risk.’ According to the Mandiant report, Chinese backed groups are suspected in targeting the vulnerability in 12 different malware families.
While patches are not expected to be available until later May 2021, a mitigation has been published by the vendor which blacklists the URL which are targeted in the attack.
Pulse Secure has also released a software tool to help users of the Pulse Connect Secure software validate the integrity of their installation and determine if it has been modified to install a Web Shell or other persistent attacks.
These two campaigns of attacks, initially used by nation state actors, highlight the importance of ensuring network infrastructure devices and appliances are included in the regular monthly security patching activities.