CISA Issues Deadline for Federal Agencies to Address Pulse Secure Vulnerabilities

Federal agencies have until 5 p.m. Eastern Standard Time April 23 to implement an emergency directive the Cybersecurity and Infrastructure Security Agency issued on vulnerabilities affecting virtual private networking service Pulse Secure Connect, which have already compromised federal agencies.

“The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises affecting U.S. government agencies, critical infrastructure entities, and other private sector organizations by a cyber threat actor—or actors—beginning in June 2020 or earlier related to vulnerabilities in certain Ivanti Pulse Connect Secure products,” reads an alert accompanying the directive.

The directive issued Tuesday evening is CISA’s third emergency directive this year. Last week agencies were ordered to submit reports to CISA following the release of new patches for on-premises Microsoft Exchange Servers and are now facing new compromises of credentials following intrusions by SolarWinds’ hackers that took advantage of their access to legitimate accounts to move around in their networks.

CISA’s directives apply to federal civilian agencies but the defense sector was particularly targeted by one of the threat actors associated with the newest order, according to the cyber intelligence firm FireEye, which suspects that actor is associated with the Chinese government. The Defense Department is also investigating whether it was affected by the vulnerabilities.

“We are aware of the report regarding the vulnerability in Pulse Secure VPN devices,” a DOD spokesperson told Nextgov. “We are assessing potential impact to the Defense Information Network and taking the appropriate steps to protect our data, networks, and systems. We are in close communication with [National Security Agency] and CISA and recognize the serious nature of this and other cyber threats to the Department and to the country."

CISA’s alert with details on the vulnerabilities strongly urged all organizations to immediately take the actions similarly outlined in the directive.

Tuesday’s directive, which followed FireEye’s initial disclosure, covers four vulnerabilities in the Pulse Secure Connect product. Patches have been available for three of them going back to 2019 and CISA’s order requires agencies to update the appliance to the latest version. 

The fourth vulnerability is new, and an ultimate fix won’t be available till “early May” according to the company. In the interim, the company issued the Pulse Security Integrity Checker tool, which CISA ordered agencies to run every 24 hours to check for compromises or apply a “workaround mitigation” by importing an XML configuration file provided by the vendor, until a patch is available.

Agencies must immediately report any mismatches or new files detected by their scans as incidents to CISA.

FireEye is tracking 12 malware families associated with the exploitation of the Pulse Secure Connect vulnerabilities, including ones that allow the attackers to bypass authentication measures and harvest legitimate credentials, and move around undetected.

“Reset all passwords associated with accounts passing through the Pulse Secure environment (including user accounts, service accounts, administrative accounts and any accounts that could be modified by any account described above),” CISA directed. “If a Pulse Connect Secure appliance is compromised, all of these accounts should also be assumed to be compromised.”

CISA’s directive provides instructions related to agencies’ use of third-party providers, including cloud service providers, some of which may not be covered by the Federal Risk and Authorization Management Program.

While the directive states FedRAMP-authorized CSPs have been informed to coordinate with their agency customers, the agency added: “Each agency is responsible for inventorying all their information systems hosted in third-party environments (FedRAMP Authorized or otherwise) and contacting service providers directly for status updates pertaining to, and to ensure compliance with, this Directive.”

CISA said reporting obligations would vary based on if the provider is a commercial provider or another federal agency. 

If the affected third-party service provider is another federal entity, the provider agency itself is responsible for reporting any incidents to CISA and the customer agency does not have any further reporting obligation,” according to the directive. “If the affected third-party service provider is a commercial provider (FedRAMP Authorized or otherwise) and is running an affected version of Pulse Secure (listed above), this is a cybersecurity incident per 44 U.S.C. § 3552(b)(2) and must be reported by the customer agency to CISA through https://us-cert.cisa.gov/report.”

Under the directive, CISA will report by May 10 to the Homeland Security secretary and the Office of Management and Budget director on outstanding issues and the status across agencies.