On Oct 26th, 2020, Pulse issued a security advisory addressing multiple vulnerabilities of high severity in Pulse appliances. Among the multiple vulnerabilities, CVE-2020-8260 was identified as a Remote Code Execution vulnerability via Uncontrolled Gzip Extraction with a CVSSv3 base score of 7.2.
Vulnerability Details:
Security researchers Richard Warren and David Cash of NCC Group Research & Technology discovered and reported this Authenticated Remote Code Execution vulnerability (CVE-2020-8260).
The Pulse Connect Secure appliance allows administrative users to import and export archived configurations via the /dana-admin/cached/config/import.cgi CGI script and does not restrict the files that can be extracted when importing or exporting archived configurations. It also allowed attackers to overwrite any file on the /home/runtime or /home/runtime/tmp partition which when exploited could result in Remote Code execution on the underlying operating system with root privileges. Further, this allows attackers to bypass any restrictions enforced via the web application, extract and decrypt credentials, create a persistent backdoor, or pivot into the internal network.
Affected Products:
Pulse Connect Secure (PCS) prior to 9.1R9
Exploitation:
Researchers demonstrated multiple ways of triggering RCE.
Watchdog:
Linux kernel Watchdog agent is installed on PCS with its config file stored at /home/runtime/kwatchdog/watchdog.conf. For successful exploitation overwrite the watchdog.conf file with a test-binary parameter and point to a custom binary.
Structure of the malicious gzip file:
~ ./configdecrypt myconf.cfg myconf.gz ~ tar -zxvf myconf.gz kwatchdog/ kwatchdog/dropbearkey kwatchdog/deploybear kwatchdog/watchdog.conf kwatchdog/dropbear
Modified watchdog.conf file:
test-binary = /home/runtime/kwatchdog/deploybear test-timeout = 3600
Template Toolkit:
PCS uses the Perl Template Toolkit to compile templates and store in the /home/runtime/tmp/tt/ folder. For successful exploitation overwrite the /home/runtime/tmp/tt/setcookie.thtml.ttc, using the gzip file write primitive.
Structure of the malicious gzip file:
~ ./configdecrypt config.exp decrypted.exp
~ tar -zxvf decrypted.exp
tmp/
tmp/tt/
tmp/tt/setcookie.thtml.ttc
~ cat tmp/tt/setcookie.thtml.ttc
system($ENV{HTTP_PULSE_CMD})
To trigger the code execution make a GET request to /dana-na/auth/setcookie.cgi. The command specified in the PULSE_CMD HTTP header will get executed with root privileges.
Mitigation:
The vendor has published an official advisory to address this vulnerability. Customers are recommended to patch their vulnerable assets.
Workaround:
Customers can also refer to below steps as a workaround:
- Restrict admin web console to Internal interface and disable Internet access.
- Implement 2FA or MFA based configuration.
- Implement realm level restrictions for admin realms and roles to provide additional protection.
Detection:
Qualys customers can scan their network with QID 38815 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.
References:
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601
https://research.nccgroup.com/2020/10/26/technical-advisory-pulse-connect-secure-rce-via-uncontrolled-gzip-extraction-cve-2020-8260/