April 20, 2021
This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 21-03, “Mitigate Pulse Connect Secure Product Vulnerabilities”.
Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2)
Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. § 655(3).
Federal agencies are required to comply with these directives. 44 U.S.C. § 3554 (a)(1)(B)(v)
These directives do not apply to statutorily-defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B).
CISA has observed active exploitation of vulnerabilities in Pulse Connect Secure products, a widely used SSL remote access solution. Successful exploitation of these vulnerabilities could allow an attacker to place webshells on the appliance to gain persistent system access into the appliance operating the vulnerable software. CISA has no knowledge of other affected Pulse Secure products (including the Pulse Secure Access client).
CISA has determined that this exploitation of Pulse Connect Secure products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of these vulnerabilities by threat actors in external network environments, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise.
CISA has published Activity Alert AA21-110A (https://us-cert.cisa.gov/ncas/alerts/aa-21-110a) providing further details and resources.
By 5 pm Eastern Daylight Time on Friday, April 23, 2021 all federal agencies must:
- Enumerate all instances of Pulse Connect Secure virtual and hardware appliances hosted by the agency or a third party on the agency’s behalf.
- On every instance of a Pulse Connect Secure appliance identified in the step above, deploy and run the Pulse Connect Secure Integrity Tool (https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755)
This tool checks the integrity of the file system and detects any mismatch of hashes. Adversaries are known to maintain persistence over upgrade cycles, and it is critical to run the tool even if all updates have already been deployed and the appliance is running the latest version of software. Detected mismatched files will be made available for download as an encrypted zip archive. If an agency’s version of Pulse Connect Secure is not supported by the tool, agencies must upgrade the software to the latest version and then run the tool. For a list of supported versions see: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755
a. If the tool does not detect any mismatch of hashes on an initial check, agencies must take one of the following steps until such a time as the vendor releases a patch addressing all of the vulnerabilities covered by this Directive.
i. Continue running the tool every 24 hours, or
ii. Apply a workaround mitigation by importing a vendor-provided XML configuration file (https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/SA44784/s).
b. If the tool detects any hash mismatches or newly detected files:
i. Immediately isolate the appliance from the network while keeping the power on and report the finding as an incident through https://us-cert.cisa.gov/report. The summary details of the scan as reported by the tool must be attached to the ticket.
ii. Immediately create a ticket with the vendor and have them assist with capturing memory and disk forensic images. Due to the vendor’s software configuration, CISA cannot assist with the initial forensic capture.
iii. Ensure the forensic artifacts captured in previous steps have been preserved and consult with CISA on further analysis steps.
iv. Affected appliances may be returned into production only after forensic analysis has been completed and remediation requirements from Appendix A have been met.
- All Pulse Connect Secure appliances in operation must install subsequent updates and security advisories within 48 hours of release by the vendor.
- Submit a report to CISA using the provided reporting template. Department-level Chief Information Officers (CIOs) or equivalents must submit this report attesting agency status to CISA.
These Required Actions apply to agencies operating Pulse Connect Secure in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.
Federal Information Systems Hosted in Third-Party Environments (such as Cloud)
CISA is working closely with FedRAMP to coordinate the response to this Directive with FedRAMP Authorized cloud service providers (CSPs). FedRAMP Authorized CSPs have been informed to coordinate with their agency customers. CISA is also aware of third parties providing services for federal information systems subject to this Directive that may not be covered by a FedRAMP authorization.
Each agency is responsible for inventorying all their information systems hosted in third-party environments (FedRAMP Authorized or otherwise) and contacting service providers directly for status updates pertaining to, and to ensure compliance with, this Directive. If instances of affected versions have been found in a third-party environment, reporting obligations will vary based on whether the provider is another federal agency or a commercial provider.
If the affected third-party service provider is another federal entity, the provider agency itself is responsible for reporting any incidents to CISA and the customer agency does not have any further reporting obligation.
If the affected third-party service provider is a commercial provider (FedRAMP Authorized or otherwise) and is running an affected version of Pulse Secure (listed above), this is a cybersecurity incident per 44 U.S.C. § 3552(b)(2) and must be reported by the customer agency to CISA through https://us-cert.cisa.gov/report.
All other provisions specified in this Directive remain applicable.
- CISA will continue to work with our partners to monitor for active exploitation associated with these vulnerabilities.
- CISA will provide technical assistance to agencies without internal capabilities to comply with this Directive.
- CISA will provide updated direction or any additional guidance and indicators of compromise to agencies via the CISA website, through an emergency directive issuance coordination call, and through individual engagements upon request (via CyberDirectives@cisa.dhs.gov). Agencies will be notified of updates via communication from CISA.
- By May 10, 2021, CISA will provide a report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) identifying cross-agency status and outstanding issues.
This Emergency Directive remains in effect until all agencies operating Pulse Connect Secure servers have applied forthcoming patches that resolve all currently exploited vulnerabilities or the Directive is terminated through other appropriate action.
Visit the Cybersecurity Directives Page or contact the following for:
- Reporting indications of potential compromise – https://us-cert.cisa.gov/report
- General information, assistance, and reporting – CyberDirectives@cisa.dhs.gov
Appendix A - Remediation Requirements
After forensic analysis, agencies may proceed with returning the affected appliance into production if the following actions are completed:
a. Save the system and user configuration.
b. Perform a factory reset (https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB22964).
c. Update appliance to the latest version.
d. Re-import the saved configuration.
e. Reset all passwords associated with accounts passing through the Pulse Secure environment (including user accounts, service accounts, administrative accounts and any accounts that could be modified by any account described above). If a Pulse Connect Secure appliance is compromised, all of these accounts should also be assumed to be compromised.
f. Review all configuration settings to ensure no unauthorized changes were made.
g. Deploy and run the Pulse Connect Secure Integrity Tool daily (or implement the XML workaround) until a patch is available