SonicWall Email Security and Pulse Secure VPN Vulnerabilities

By Jeff Wehrman, Vigilant CISO

A Vigilant Threat Alerts Series

Vigilant wants to ensure that our clients are aware of multiple critical vulnerabilities in both SonicWall Email Security and Pulse Secure VPN appliances. These new vulnerabilities require immediate attention.

What Happened?

SonicWall announced three (3) Zero-Day vulnerabilities in their Email Security product. At least one of these vulnerabilities has been observed being exploited “in the wild.” These vulnerabilities allow an attacker to create an administrator account and either read or write files remotely.

Pulse Secure published a new Critical security advisory for their Pulse Connect Secure VPN product. Active exploitation of vulnerabilities has been observed “in the wild” for these Pulse Connect Secure products, a widely used SSL remote access solution. Successful exploitation of these vulnerabilities could allow an attacker to place webshells on the appliance to gain persistent system access into the appliance operating the vulnerable software.

To reiterate, these vulnerabilities have been observed being exploited in the wild. A patch is available for the SonicWall Email Security appliances, but only mitigation is currently available for the Pulse Secure VPN appliances.

What Immediate Action(s) on your Microsoft DNS Servers Are We Recommending?

1. If you are running SonicWall Email Security, please update/patch your appliances! As we have said in the past, patching is always the first and, generally speaking, the most effective course of action. We urgently recommend that you update/patch all appliances as needed.

• SonicWall Email Security vulnerabilities:

• https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/

• https://www.sonicwall.com/support/knowledge-base/how-do-i-upgrade-firmware-on-an-email-security-appliance/170504270079039/

• NOTE: If you are using their hosted email security product, no action is needed as SonicWall has already addressed these on their side.

2. If you are running Pulse Secure VPN, please review the details of the vulnerabilities that apply to your environment (see links below) and complete the recommended mitigation(s) as soon as possible.

• Pulse Secure VPN vulnerabilities:

• https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/

• https://cyber.dhs.gov/ed/21-03/

• Run the Pulse Connect Secure Integrity Tool and continue running every 24 hours : https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755

OR

• Apply a workaround mitigation by importing the vendor-provided XML configuration file: https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/SA44784/s

3. Be our eyes and ears, if you see something, please let us know by opening a ticket or reaching out to our team.

• Submit a ticket to us via the Customer Portal: https://vigilant.support
• Or call Toll Free: 1-855-238-4445 Option 4

We are in the “trenches” and fighting together with you!

Create a Ticket

What is Vigilant Doing to Keep Your Organization Secure?

At this time, there is very limited information available about the current exploitations occurring “in the wild” for both the SonicWall and Pulse Secure vulnerabilities (other than some have already taken place). Vigilant will continue to monitor the situation and provide updates as more information becomes available.

• If you subscribe to our Managed Endpoint Protection (MEP) service, Vigilant recommends the following actions:

1. Follow the patching and/or mitigation recommendations above.
2. Please make sure that the MEP agent is deployed to your endpoints running these services (e.g., Virtual Machine appliances).
3. Please ensure that no other security agents or solutions are installed on these endpoints as they interfere with the operation and performance of our MEP service.
4. If you only have MEP Level I – MEP Level I does not have file system inventory, so while MEP Level I can detect and block follow-on threat actor activity, without MEP Level II, we can’t proactively tell you if there are other artifacts or issues on these systems from attacker activity. If you would like us to scan and hunt on these systems with full visibility, please reach out to your Vigilant CRS agent and request a quote to be upgraded to MEP Level II on these systems. We can easily upgrade your MEP level I systems within minutes.

• If you subscribe to our CyberDNA service, Vigilant recommends the following actions:

1. Follow the patching and/or mitigation recommendations above.
2. If you do not subscribe to our MEP Level II service, our Hunt Team does not have deep visibility into your endpoints (only network traffic around them) so contact your Vigilant CRS agent if you would like a quote to add MEP Level II to your DNS servers.

Upgrade Now!

With the right visibility into and across your network as well as your endpoints, it is easier and faster to respond to these kinds of vendor vulnerabilities and detect if/when they are exploited by malicious actors so they can be remediated accordingly.