New York State Department of Financial Services · NY
Pulse Connect Secure Critical Vulnerability
April 26, 2021
Summary
The New York Department of Financial Services requires all regulated entities using Ivanti Pulse Connect Secure VPN products to assess their systems for compromise following critical security vulnerabilities. Entities must run the Pulse Secure Integrity Tool, implement vendor mitigations, and submit a mandatory status survey to the Department.
April 26, 2021
To: All Regulated Entities
From: New York Department of Financial Services
Re: Pulse Connect Secure Critical Vulnerability
On April 20, 2021, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) issued a Cyber Activity Alert (AA21-110A) and an Emergency Directive (21-03) regarding vulnerabilities in certain Ivanti Pulse Connect Secure products, which are widely used for virtual private network (VPN) remote access. These vulnerabilities are currently being exploited and have affected government agencies, critical infrastructure entities, and other private sector organizations.
If your company uses Ivanti Pulse Connect Secure products, you should follow CISA’s guidance and immediately run Ivanti’s Pulse Secure Connect Integrity Tool to determine whether your VPN has been compromised. If it was compromised, you should investigate whether there was malicious activity and implement the mitigations released by Ivanti. Ivanti is developing a patch, but until it is released, CISA recommends updating to the latest software version.
The CISA Alert and Emergency Directive cited above, along with the Pulse Secure blog dated April 20, 2021, contain more detailed information on this newly discovered compromise. Specifically, Pulse Secure has identified four issues which are described in Security Advisory SA44784 (CVE-2021-22893), Security Advisory SA44601 (CVE-2020-8260), Security Advisory SA44588 (CVE-2020-8243), and Security Advisory SA44101 (CVE-2019-11510). Affected products include:
- Pulse Connect Secure (PCS) 9.1Rx or below
- Pulse Policy Secure (PPS) 9.1Rx or below
- Pulse Secure Desktop Client (PDC) 9.1Rx or below
Given the current exploitation of this vulnerability and the widespread use of VPNs, we ask all regulated entities to fill out the following survey by April 30:
Regulated entities should remediate security flaws immediately and are reminded to report Cybersecurity Events pursuant to 23 NYCRR Section 500.17(a) as promptly as possible and within 72 hours at the latest.
Any questions or comments regarding this Alert should be directed to [email protected].
Source: https://www.dfs.ny.gov/industry_guidance/industry_letters/il20210426_pulse_connect_secure
Common questions
- What does "Pulse Connect Secure Critical Vulnerability" cover?
- The New York Department of Financial Services requires all regulated entities using Ivanti Pulse Connect Secure VPN products to assess their systems for…
- Which agency issued this update?
- This update was issued by New York State Department of Financial Services.
- When was it published?
- It was published on April 26, 2021.
Related updates
- Lakeview Loan Servicing, LLC, Pingora Loan Servicing, LLC, Community Loan Servicing, LLC, and Bayview Asset Management, LLC Multistate Settlement Agreement and Consent Order issued by the Division of Banking
- Pionex, Inc. Consent Order issued by the Division of Banking
- Two Ocean No-Action Letter: Digital Asset Custody & Qualified Custodian Status
- Ultralight FS,. Inc., formerly known as Obopay, Inc., also doing business as Obopay USA
- Updated Nonbank Ransomware Self-Assessment Tool (R-SAT)
- ACI Payments, Inc. Settlement Agreement and Consent Order issued by the Division of Banking