Amid high-risk Pulse Secure vulnerabilities, the Cybersecurity Infrastructure and Security Agency (CISA) has directed federal agencies to run a tool on all devices operating Pulse Connect Secure products to check for active exploits allegedly tied to Chinese government backed operatives.The Emergency Directive 21-03 is the third such order CISA has issued in the past five months, or since the SolarWinds Orion incident and the Microsoft Exchange Hafnium attacks. The latest warning comes immediately following a CISA alert regarding vulnerabilities discovered in Pulse Secure's virtual private networking (VPN) software.Pulse Connect Secure is a popular remote access solution that, if exploited, hackers can use to implant web shells on an appliance to gain repeated access into the system.CISA advised agencies that it is “critical” to run the tool even if the appliance is operating the latest version of the solution and all updates have been applied. If an agency’s version of Pulse Connect Secure is not supported by the tool, an upgrade to the latest version must be installed before running the tool. Agencies are required to run the tool every 24 hours until a patch is issued or apply a workaround provided by Pulse Secure. Should the tool detect an issue, CISA advised agencies to isolate the device from the network and report the incident. A final patch to address the vulnerability is expected in May 2021.CISA said it is coordinating its response with the Federal Risk and Authorization Management Program (FedRamp), the government-run program standardizing security assessments for cloud products and services. All FedRAMP authorized cloud service providers (CSPs) have been told to coordinate with their agency customers. “Each agency is responsible for inventorying all their information systems hosted in third-party environments (FedRAMP Authorized or otherwise) and contacting service providers directly for status updates pertaining to, and to ensure compliance with, this Directive,” CISA wrote. “If instances of affected versions have been found in a third-party environment, reporting obligations will vary based on whether the provider is another federal agency or a commercial provider,” the alert said.
U.S. Federal Government Agencies: Mitigating Pulse Secure Vulnerability Risks
All federal agencies have been ordered to compile a status report by 5 p.m. EDT on Friday, April 23, 2021 with the following information:- List all instances of Pulse Connect Secure virtual and hardware appliances hosted by the agency or a third party on the agency’s behalf.
- Deploy and run the Pulse Connect Secure Integrity Tool on every identified instance of a Pulse Connect Secure appliance.