Pulse Secure VPNs Get Quick Fix for Critical RCE | Threatpost

Pulse Secure has issued a workaround for a critical remote-code execution (RCE) vulnerability in its Pulse Connect Secure (PCS) VPNs that may allow an unauthenticated, remote attacker to execute code as a user with root privileges.

Pulse Secure’s parent company, Ivanti, issued an out-of-band advisory on May 14. The company explained that this high-severity bug – identified as CVE-2021-22908 and rated CVSS 8.5 – affects Pulse Connect Secure versions 9.0Rx and 9.1Rx.

“Buffer Overflow in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user,” according to the advisory. “As of version 9.1R3, this permission is not enabled by default.”

The CERT Coordination Center issued a report about the vulnerability, explaining that the problem stems from a buffer overflow vulnerability in the PCS gateway. CERT/CC explained that the gateway’s ability to connect to Windows file shares through a number of CGI endpoints could be leveraged to carry out an attack.

“When specifying a long server name for some SMB operations, the smbclt application may crash due to either a stack buffer overflow or a heap buffer overflow, depending on how long of a server name is specified,” CERT/CC noted. PCS 9.1R11.4 systems are vulnerable: CERT/CC said that it’s  managed to trigger the vulnerability by targeting the CGI script /dana/fb/smb/wnf.cgi, although “Other CGI endpoints may also trigger the vulnerable code.”

There’s currently no practical solution to this problem, at least not that CERT/CC is aware of, according to Will Dormann, who both discovered the vulnerability and wrote up the CERT/CC report. He offered two workarounds:

Fix No. 1: Apply XML Workaround

Pulse Secure has published a quick fix: a Workaround-2105.xml file with a mitigation to protect against the vulnerability. “Importing this XML workaround will activate the protections immediately,” according to Dormann’s report, and “does not require any downtime for the VPN system.

The workaround blocks requests that match these URI patterns:

^/+dana/+fb/+smb
^/+dana-cached/+fb/+smb

Dormann advised users to note that Workaround-2105.xml will automatically deactivate the mitigations applied by an earlier workaround, Workaround-2104.xml. That makes it “imperative that a PCS system is running 9.1R11.4 before applying the Workaround-2105.xml mitigation,” he said, to ensure that the vulnerabilities outlined in SA44784 aren’t reintroduced as the result of applying the workaround.

The workaround will block the ability to use Windows File Share Browser.

Fix No. 2: Set a Windows File Access Policy

Dormann said that a PCS system that started as 9.1R2 or earlier will retain the default Initial File Browsing Policy of Allow for \\* SMB connections, which will expose this vulnerability. He advised users to check out the administrative page for the PCS, at Users -> Resource Policies -> Windows File Access Policies to view current SMB policy.

A PCS policy that explicitly allows \\* or otherwise “may allow users to initiate connections to arbitrary SMB server names,” Dormann advised, telling users to “configure the PCS to Deny connections to such resources to minimize your PCS attack surface.”

Add One More to the Growing List of Vulnerabilities

Dirk Schrader, global vice president of security research at New Net Technologies, told Threatpost on Tuesday that it’s “not exaggerated” to assign such a high severity score to this vulnerability. “Privilege escalations are a central element in many attack vectors, and this one would allow a root-privileged operation,” he noted via email.

Given that resources on cybersecurity teams are limited, a “quick fix” like what Pulse Secure issued – i.e., the XML files – is concerning, Schrader said. “The quick fix, if applied with no further consideration, [could] re-introduce more severe vulnerabilities recently discovered,” he said.

Those recently discovered vulnerabilities include:

Download our exclusive FREE Threatpost Insider eBook, 2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!