Pulse Connect Secure Samba buffer overflow

Overview

Pulse Connect Secure (PCS) gateway contains a buffer overflow vulnerability in Samba-related code that may allow an authenticated remote attacker to execute arbitrary code.

Description

CVE-2021-22908

PCS includes the ability to connect to Windows file shares (SMB). This capability is provided by a number of CGI scripts, which in turn use libraries and helper applications based on Samba 4.5.10. When specifying a long server name for some SMB operations, the smbclt application may crash due to either a stack buffer overflow or a heap buffer overflow, depending on how long of a server name is specified. We have confirmed that PCS 9.1R11.4 systems are vulnerable, targeting a CGI endpoint of: /dana/fb/smb/wnf.cgi. Other CGI endpoints may also trigger the vulnerable code.

Specifying a long server name to this endpoint may result in a PCS events log entry that may look like the following:

Critical ERR31093 2021-05-24 14:05:37 - ive - [127.0.0.1] Root::System()[] - Program smbclt recently failed. 

Successful exploitation of this vulnerability may not produce such a log entry if the program is cleanly exited during exploitation, or if the log files are sanitized after successful exploitation.

In order to be vulnerable, a PCS server must have a Windows File Access policy that allows \\* or it must have some other policy set that would allow an attacker to connect to an arbitrary server. In the administrative page for the PCS, see Users -> Resource Policies -> Windows File Access Policies to view your current SMB policy. Any PCS device that started as version 9.1R2 or earlier will have a default policy that allows connecting to arbitrary SMB hosts. Starting with 9.1R3, this policy was changed from a default allow to a default deny.

Note that the vendor implies that the Files, Window[sic] access feature can be disabled for user roles in order to protect against this vulnerability. This is NOT the case. The vulnerable CGI endpoints are still reachable in ways that will trigger the smbclt application to crash, regardless of whether the Files, Windows user role is enabled or not. These steps are only included in the advisory to limit excessive errors showing up in PCS logs after the XML workaround has been installed.

In our testing, an attacker would need either valid PCS user credentials, or a DSID value from an authenticated user to successfully reach the vulnerable code on a PCS server that has an open Windows File Access policy. We have created a PoC utility to test for PCS systems vulnerable to CVE-2021-22908 as well as which mitigations may be applied.

Impact

By performing certain SMB operations with a specially-crafted server name, an authenticated attacker may be able to execute arbitrary code with root privileges on a vulnerable PCS server.

Solution

Apply an update

This issue is addressed in PCS 9.1R11.5. Please see advisory SA44800 for more details.

Apply an XML workaround

Pulse Secure has published advisory SA44800 that mentions a Workaround-2105.xml file that contains a mitigation to protect against this vulnerability. Importing this XML workaround will activate the protections immediately and does not require any downtime for the VPN system. This workaround will block requests that match the following URI patterns:

^/+dana/+fb/+smb
^/+dana-cached/+fb/+smb

Workaround-2105.xml will automatically deactivate the mitigations applied by Workaround-2104.xml when it is installed. As such, it is imperative that a PCS system is running 9.1R11.4 before applying the Workaround-2105.xml mitigation, which will ensure that the vulnerabilities outlined in SA44784 are not reintroduced as the result of applying this workaround.

Note that installing this workaround will block the ability to use the following feature:

• Windows File Share Browser

Set a Windows File Access Policy

This vulnerability relies on the ability to connect to an arbitrary SMB server name to trigger the vulnerability. A PCS system that started as version 9.1R3 or later will have a default Initial File Browsing Policy of Deny for \\* SMB connections. If you have a PCS system that started as 9.1R2 or earlier, it will retain the default Initial File Browsing Policy ofAllow for \\* SMB connections, which will expose this vulnerability. In the administrative page for the PCS, see Users -> Resource Policies -> Windows File Access Policies to view your current SMB policy.

If your PCS has a policy that explicitly allows \\* or otherwise may allow users to initiate connections to arbitrary SMB server names, you should configure the PCS to Deny connections to such resources to minimize your PCS attack surface.

Acknowledgements

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Vendor Information

667933

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Ivanti __ Affected

Notified: 2021-06-09 Updated: 2021-06-17 CVE-2021-22908	Affected

Vendor Statement

We have not received a statement from the vendor.

References

• <https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800&gt;

Pulse Secure __ Affected

Notified: 2021-05-06 Updated: 2021-05-25

Statement Date: May 25, 2021

CVE-2021-22908	Affected

Vendor Statement

Buffer Overflow in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user. As of version 9.1R3, this permission is not enabled by default.

References

• <https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800/?kA23Z000000boUgSAI&gt;

References

• <https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800&gt;
• <https://github.com/CERTCC/PoC-Exploits/blob/master/cve-2021-22908/cve-2021-22908.py&gt;

Other Information

CVE IDs:	CVE-2021-22908
Date Public:	2021-05-24 Date First Published: