Pulse Secure VPNs Get Quick Fix for Critical RCE


Pulse Secure has issued a workaround for a critical remote-code execution (RCE) vulnerability in its Pulse Connect Secure (PCS) VPNs that may allow an unauthenticated, remote attacker to execute code as a user with root privileges. Pulse Secure’s parent company, Ivanti, issued an out-of-band [advisory](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800>) on May 14. The company explained that this high-severity bug – identified as [CVE-2021-22908](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22908>) and rated CVSS 8.5 – affects Pulse Connect Secure versions 9.0Rx and 9.1Rx. “Buffer Overflow in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user,” according to the advisory. “As of version 9.1R3, this permission is not enabled by default.” [![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) The CERT Coordination Center issued a [report](<https://kb.cert.org/vuls/id/667933>) about the vulnerability, explaining that the problem stems from a buffer overflow vulnerability in the PCS gateway. CERT/CC explained that the gateway’s ability to connect to Windows file shares through a number of CGI endpoints could be leveraged to carry out an attack. “When specifying a long server name for some SMB operations, the `smbclt` application may crash due to either a stack buffer overflow or a heap buffer overflow, depending on how long of a server name is specified,” CERT/CC noted. PCS 9.1R11.4 systems are vulnerable: CERT/CC said that it’s managed to trigger the vulnerability by targeting the CGI script `/dana/fb/smb/wnf.cgi`, although “Other CGI endpoints may also trigger the vulnerable code.” There’s currently no practical solution to this problem, at least not that CERT/CC is aware of, according to Will Dormann, who both discovered the vulnerability and wrote up the CERT/CC report. He offered two workarounds: ## Fix No. 1: Apply XML Workaround Pulse Secure has published a quick fix: a Workaround-2105.xml file with a mitigation to protect against the vulnerability. “Importing this XML workaround will activate the protections immediately,” according to Dormann’s report, and “does not require any downtime for the VPN system. The workaround blocks requests that match these URI patterns: `^/+dana/+fb/+smb` `^/+dana-cached/+fb/+smb` Dormann advised users to note that `Workaround-2105.xml` will automatically deactivate the mitigations applied by an earlier workaround, `Workaround-2104.xml`. That makes it “imperative that a PCS system is running 9.1R11.4 before applying the `Workaround-2105.xml` mitigation,” he said, to ensure that the vulnerabilities outlined in [SA44784](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>) aren’t reintroduced as the result of applying the workaround. The workaround will block the ability to use Windows File Share Browser. ## Fix No. 2: Set a Windows File Access Policy Dormann said that a PCS system that started as 9.1R2 or earlier will retain the default Initial File Browsing Policy of Allow for `\\*` SMB connections, which will expose this vulnerability. He advised users to check out the administrative page for the PCS, at `Users -> Resource Policies -> Windows File Access Policies` to view current SMB policy. A PCS policy that explicitly allows `\\*` or otherwise “may allow users to initiate connections to arbitrary SMB server names,” Dormann advised, telling users to “configure the PCS to Deny connections to such resources to minimize your PCS attack surface.” ## Add One More to the Growing List of Vulnerabilities Dirk Schrader, global vice president of security research at New Net Technologies, told Threatpost on Tuesday that it’s “not exaggerated” to assign such a high severity score to this vulnerability. “Privilege escalations are a central element in many attack vectors, and this one would allow a root-privileged operation,” he noted via email. Given that resources on cybersecurity teams are limited, a “quick fix” like what Pulse Secure issued – i.e., the XML files – is concerning, Schrader said. “The quick fix, if applied with no further consideration, [could] re-introduce more severe vulnerabilities recently discovered,” he said. Those recently discovered vulnerabilities include: * **May: **Earlier this month, a [critical zero-day](<https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/>) flaw in Pulse Secure’s Connect Secure VPN devices was being used by at least two advanced persistent threat (APT) groups, likely linked to China, to attack U.S. defense, finance and government targets, as well as victims in Europe. That one wasn’t a one-off: At the same time, Pulse Secure also patched three other security bugs, two of them also critical RCE vulnerabilities. Attacker activity around the zero day was so high that it prompted the Cybersecurity and Infrastructure Security Agency (CISA) [to issue an alert](<https://cyber.dhs.gov/ed/21-03/>) warning businesses of the campaigns, which [FireEye Mandiant](<https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/>) telemetry indicates have been carried out by two main APT clusters with links to China: UNC2630 and UNC2717. [CISA told CNN](<https://itwire.com/security/five-us-government-agencies-attacked-through-pulse-secure-vpns.html>) that it was aware of at least five federal civilian agencies who were attacked through Pulse Secure VPNs. * **April:** [The FBI warned](<https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/>) that a known arbitrary file-read Pulse Secure bug (CVE-2019-11510) was part of five vulnerabilities under attack by the Russia-linked group known as APT29 (a.k.a. Cozy Bear or The Dukes). APT29 is conducting “widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access,” according to the Feds. * **April**: The Department of Homeland Security (DHS) urged companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, because in many cases, attackers have already exploited CVE-2019-11510 to hoover up victims’ credentials – and now are using those credentials to move laterally through organizations, [DHS warned](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>). * **October**: CISA said that a federal agency had suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network. Once again, [CVE-2019-11510 was in play](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>), used to gain access to employees’ legitimate Microsoft Office 365 log-in credentials and sign into an agency computer remotely. 052521 13:35 UPDATE: Threatpost has requested details from Pulse Secure about whether a permanent fix is in the works. **Download our exclusive FREE Threatpost Insider eBook, ****_“_**[**_2021: The Evolution of Ransomware_**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)**_,”_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and **[**DOWNLOAD**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)** the eBook now – on us!**