Ivanti, the organization powering Pulse Protected VPN appliances, has released a stability advisory for a higher severity vulnerability that may make it possible for an authenticated distant attacker to execute arbitrary code with elevated privileges.
“Buffer Overflow in Windows File Useful resource Profiles in 9.X makes it possible for a distant authenticated consumer with privileges to search SMB shares to execute arbitrary code as the root person,” the enterprise reported in an inform published on May possibly 14. “As of model 9.1R3, this permission is not enabled by default.”
The flaw, identified as CVE-2021-22908, has a CVSS rating of 8.5 out of a maximum of 10 and impacts Pulse Hook up Secure versions 9.0Rx and 9.1Rx. In a report detailing the vulnerability, the CERT Coordination Heart said the difficulty stems from the gateway’s means to join to Home windows file shares by a number of CGI endpoints that could be leveraged to have out the assault.
“When specifying a prolonged server identify for some SMB operations, the ‘smbclt’ application might crash due to possibly a stack buffer overflow or a heap buffer overflow, depending on how extensive of a server identify is specified,” CERT/CC thorough in a vulnerability take note printed on Monday, including it was able to cause the vulnerable code by targeting the CGI script ‘/dana/fb/smb/wnf.cgi.’
Pulse Secure consumers are advisable to up grade to PCS Server edition 9.1R.11.5 when it gets offered. In the interim, Ivanti has published a workaround file (‘Workaround-2105.xml’) that can be imported to disable the Windows File Share Browser characteristic by adding the susceptible URL endpoints to a blocklist and thus activate important mitigations to safeguard in opposition to this vulnerability.
It bears noting that buyers jogging PCS versions 9.1R11.3 or underneath would have to have to import a distinct file named ‘Workaround-2104.xml,’ necessitating that the PCS program is working 9.1R11.4 prior to implementing the safeguards in ‘Workaround-2105.xml.’
When Ivanti has advised turning off Windows File Browser on the Admin UI by disabling the possibility ‘Files, Window [sic]’ for distinct user roles, CERT/CC discovered the actions were being insufficient to guard from the flaw through its tests.
“The vulnerable CGI endpoints are continue to reachable in techniques that will trigger the ‘smbclt’ software to crash, no matter of no matter whether the ‘Files, Windows’ consumer purpose is enabled or not,” it noted.
“An attacker would want a legitimate DSID and ‘xsauth’ worth from an authenticated person to successfully get to the susceptible code on a PCS server that has an open up Home windows File Entry plan.”
The disclosure of a new flaw comes months after the Utah-dependent IT program corporation patched several essential safety vulnerabilities in Pulse Connect Safe items, which include CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900, the initially of which was found to be actively exploited in the wild by at the very least two distinct menace actors.