Pulse Connect Secure Authenticated Arbitrary Code Execution Vulnerability (CVE-2021-22908)

Pulse Connect Secure (PCS) gateway contains a buffer overflow vulnerability in Samba-related code that may allow authenticated remote attacker to execute arbitrary code. By performing certain SMB operations with a specially crafted server name, an authenticated attacker may be able to execute arbitrary code with root privileges on a vulnerable PCS server.

PCS allows to connect to Windows file shares (SMB) by several CGI scripts, which in turn use libraries and helper applications based on Samba. “When specifying a long server name for some SMB operations, the ‘smbclt’ application may crash due to either a stack buffer overflow or a heap buffer overflow, depending on how long of a server name is specified,” CERT/CC detailed in a vulnerability note published on Monday. CERT/CC added that it was able to trigger the vulnerable code by targeting the CGI script ‘/dana/fb/smb/wnf.cgi.’

As per the advisory, below are a few key points around Windows File Access policy for PCS:

  • Buffer Overflow in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user.
  • Any PCS device that started as version 9.1R2 or earlier will have a default policy that allows connecting to arbitrary SMB hosts.
  • As of version 9.1R3, permission to access Windows File Access policy is not enabled by default.
  • In the administrative page for the PCS, see Users > Resource Policies > Windows File Access Policies to view your current SMB policy.
  • If your PCS has a policy that explicitly allows \\* or otherwise may allow users to initiate connections to arbitrary SMB server names, you should configure PCS to deny connections to such resources to minimize your PCS attack surface.

Successful exploitation of this vulnerability may not produce such a log entry if the program is cleanly exited during exploitation, or if the log files are sanitized after successful exploitation.

Affected products

  • Pulse Connect Secure 9.0RX and
  • Pulse Connect Secure 9.1RX

Workaround

Pulse Connect Secure customers are recommended to upgrade to PCS Server version 9.1R.11.5 when it becomes available.

In the interim, Ivanti has published a workaround file (‘Workaround-2105.xml‘) that can be imported to disable the Windows File Share Browser feature by adding the vulnerable URL endpoints to a blocklist and thus activate necessary mitigations to protect against this vulnerability.

Note that users running PCS versions 9.1R11.3 or below would need to import a different file named ‘Workaround-2104.xml,’ necessitating that the PCS system is running 9.1R11.4 before applying the safeguards in ‘Workaround-2105.xml.

This workaround will block requests that match the following URI patterns:

  • ^/+dana/+fb/+smb
  • ^/+dana-cached/+fb/+smb

Workaround-2105.xml will automatically deactivate the mitigations applied by Workaround-2104.xml when it is installed. As such, it is imperative that a PCS system is running 9.1R11.4 before applying the Workaround-2105.xml mitigation, which will ensure that the vulnerabilities outlined in SA44784 are not reintroduced as the result of applying this workaround.

Note that installing this workaround will block the ability to use the Windows File Share Browser feature.

Qualys Detection

Qualys customers can scan their network with QID(s) 38839 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.

References and Sources

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800/?kA23Z000000boUgSAI

https://kb.cert.org/vuls/id/667933

https://thehackernews.com/2021/05/new-high-severity-vulnerability.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29

https://my.pulsesecure.net/

https://docs.pulsesecure.net/WebHelp/PCS/9.1R1/AG/Content/PCS/PCS_AdminGuide_9.1R1/Importing_an_XML_Configuration.htm

 

Leave a Reply

Your email address will not be published. Required fields are marked *