Pulse Secure VPNs Get Quick Fix for Critical RCE

One of the workaround XML files automatically deactivates protection from an earlier workaround: a potential path to older vulnerabilities being opened again.

Pulse Secure has issued a workaround for a critical remote-code execution (RCE) vulnerability in its Pulse Connect Secure (PCS) VPNs that may allow an unauthenticated, remote attacker to execute code as a user with root privileges.

Pulse Secure’s parent company, Ivanti, issued an out-of-band advisory on May 14. The company explained that this high-severity bug – identified as CVE-2021-22908 and rated CVSS 8.5 – affects Pulse Connect Secure versions 9.0Rx and 9.1Rx.

“Buffer Overflow in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user,” according to the advisory. “As of version 9.1R3, this permission is not enabled by default.”

The CERT Coordination Center issued a report about the vulnerability, explaining that the problem stems from a buffer overflow vulnerability in the PCS gateway. CERT/CC explained that the gateway’s ability to connect to Windows file shares through a number of CGI endpoints could be leveraged to carry out an attack.

“When specifying a long server name for some SMB operations, the smbclt application may crash due to either a stack buffer overflow or a heap buffer overflow, depending on how long of a server name is specified,” CERT/CC noted. PCS 9.1R11.4 systems are vulnerable: CERT/CC said that it’s  managed to trigger the vulnerability by targeting the CGI script /dana/fb/smb/wnf.cgi, although “Other CGI endpoints may also trigger the vulnerable code.”

There’s currently no practical solution to this problem, at least not that CERT/CC is aware of, according to Will Dormann, who both discovered the vulnerability and wrote up the CERT/CC report. He offered two workarounds:

Fix No. 1: Apply XML Workaround

Pulse Secure has published a quick fix: a Workaround-2105.xml file with a mitigation to protect against the vulnerability. “Importing this XML workaround will activate the protections immediately,” according to Dormann’s report, and “does not require any downtime for the VPN system.

The workaround blocks requests that match these URI patterns:

^/+dana/+fb/+smb
^/+dana-cached/+fb/+smb

Dormann advised users to note that Workaround-2105.xml will automatically deactivate the mitigations applied by an earlier workaround, Workaround-2104.xml. That makes it “imperative that a PCS system is running 9.1R11.4 before applying the Workaround-2105.xml mitigation,” he said, to ensure that the vulnerabilities outlined in SA44784 aren’t reintroduced as the result of applying the workaround.

The workaround will block the ability to use Windows File Share Browser.

Fix No. 2: Set a Windows File Access Policy

Dormann said that a PCS system that started as 9.1R2 or earlier will retain the default Initial File Browsing Policy of Allow for \\* SMB connections, which will expose this vulnerability. He advised users to check out the administrative page for the PCS, at Users -> Resource Policies -> Windows File Access Policies to view current SMB policy.

A PCS policy that explicitly allows \\* or otherwise “may allow users to initiate connections to arbitrary SMB server names,” Dormann advised, telling users to “configure the PCS to Deny connections to such resources to minimize your PCS attack surface.”

Add One More to the Growing List of Vulnerabilities

Dirk Schrader, global vice president of security research at New Net Technologies, told Threatpost on Tuesday that it’s “not exaggerated” to assign such a high severity score to this vulnerability. “Privilege escalations are a central element in many attack vectors, and this one would allow a root-privileged operation,” he noted via email.

Given that resources on cybersecurity teams are limited, a “quick fix” like what Pulse Secure issued – i.e., the XML files – is concerning, Schrader said. “The quick fix, if applied with no further consideration, [could] re-introduce more severe vulnerabilities recently discovered,” he said.

Those recently discovered vulnerabilities include:

  • May: Earlier this month, a critical zero-day flaw in Pulse Secure’s Connect Secure VPN devices was being used by at least two advanced persistent threat (APT) groups, likely linked to China, to attack U.S. defense, finance and government targets, as well as victims in Europe. That one wasn’t a one-off: At the same time, Pulse Secure also patched three other security bugs, two of them also critical RCE vulnerabilities. Attacker activity around the zero day was so high that it prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert warning businesses of the campaigns, which FireEye Mandiant telemetry indicates have been carried out by two main APT clusters with links to China: UNC2630 and UNC2717. CISA told CNN that it was aware of at least five federal civilian agencies who were attacked through Pulse Secure VPNs.
  • April: The FBI warned that a known arbitrary file-read Pulse Secure bug (CVE-2019-11510) was part of five vulnerabilities under attack by the Russia-linked group known as APT29 (a.k.a. Cozy Bear or The Dukes). APT29 is conducting “widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access,” according to the Feds.
  • April: The Department of Homeland Security (DHS) urged companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, because in many cases, attackers have already exploited CVE-2019-11510 to hoover up victims’ credentials – and now are using those credentials to move laterally through organizations, DHS warned.
  • October: CISA said that a federal agency had suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network. Once again, CVE-2019-11510 was in play, used to gain access to employees’ legitimate Microsoft Office 365 log-in credentials and sign into an agency computer remotely.

052521 13:35 UPDATE: Threatpost has requested details from Pulse Secure about whether a permanent fix is in the works.

Download our exclusive FREE Threatpost Insider eBook, 2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles