Posted on Leave a comment

High severity vulnerability reported in Pulse connect secure gateway

Pulse connect secure has been reported with buffer overflow vulnerability on its Samba related code which may allow the remote authenticated attacker to execute arbitrary code as a root user.

Pulse Secure VPN, the product of Ivanti which is commonly used to connect to the networks via VPN has published a high severity vulnerability on its product which may allow an remote authenticated attacker to execute arbitrary code .

The flaw which is identified with CVE-2021-22908 as been assigned with 8.5 out of 10 on CVSS score which impacts Pulse Connect Secure versions 9.0Rx and 9.1Rx respectively.

CERT has published the detailed report which states ” PCS includes the ability to connect to Windows file shares (SMB). This capability is provided by a number of CGI scripts, which in turn use libraries and helper applications based on Samba 4.5.10. When specifying a long server name for some SMB operations, the smbclt application may crash due to either a stack buffer overflow or a heap buffer overflow, depending on how long of a server name is specified. We have confirmed that PCS 9.1R11.4 systems are vulnerable, targeting a CGI endpoint of: /dana/fb/smb/wnf.cgi. “

“In order to be vulnerable, a PCS server must have a Windows File Access policy that allows \\* or it must have some other policy set that would allow an attacker to connect to an arbitrary server. In the administrative page for the PCS, see Users -> Resource Policies -> Windows File Access Policies to view your current SMB policy. Any PCS device that started as version 9.1R2 or earlier will have a default policy that allows connecting to arbitrary SMB hosts. Starting with 9.1R3, this policy was changed from a default allow to a default deny.”

Solution:

At the time writing this , there are no practical solution to this issue, however Pulse secure has pointed out some  Workaround-2105.xml file that contains a mitigation to protect against this vulnerability. Importing this XML workaround will activate the protections immediately and does not require any downtime for the VPN system. 

–-For more Cyber security news in crisp content . Please follow our site.

Leave a Reply