Ivanti, the corporate behind Pulse Safe VPN home equipment, has revealed a safety advisory for a excessive severity vulnerability that will permit an authenticated distant attacker to execute arbitrary code with elevated privileges.
“Buffer Overflow in Home windows File Useful resource Profiles in 9.X permits a distant authenticated person with privileges to browse SMB shares to execute arbitrary code as the basis person,” the corporate said in an alert revealed on Could 14. “As of model 9.1R3, this permission just isn’t enabled by default.”
The flaw, recognized as CVE-2021-22908, has a CVSS rating of 8.5 out of a most of 10 and impacts Pulse Join Safe variations 9.0Rx and 9.1Rx. In a report detailing the vulnerability, the CERT Coordination Middle mentioned the problem stems from the gateway’s skill to hook up with Home windows file shares by way of plenty of CGI endpoints that may very well be leveraged to hold out the assault.
“When specifying a protracted server identify for some SMB operations, the ‘smbclt’ software could crash because of both a stack buffer overflow or a heap buffer overflow, relying on how lengthy of a server identify is specified,” CERT/CC detailed in a vulnerability notice revealed on Monday, including it was capable of set off the susceptible code by concentrating on the CGI script ‘/dana/fb/smb/wnf.cgi.’
Pulse Safe clients are advisable to improve to PCS Server model 9.1R.11.5 when it turns into out there. Within the interim, Ivanti has revealed a workaround file (‘Workaround-2105.xml’) that may be imported to disable the Home windows File Share Browser characteristic by including the susceptible URL endpoints to a blocklist and thus activate essential mitigations to guard in opposition to this vulnerability.
It bears noting that customers working PCS variations 9.1R11.3 or under would wish to import a unique file named ‘Workaround-2104.xml,‘ necessitating that the PCS system is working 9.1R11.4 earlier than making use of the safeguards in ‘Workaround-2105.xml.’
Whereas Ivanti has advisable turning off Home windows File Browser on the Admin UI by disabling the choice ‘Information, Window [sic]’ for particular person roles, CERT/CC discovered the steps have been insufficient to guard in opposition to the flaw throughout its testing.
“The susceptible CGI endpoints are nonetheless reachable in methods that can set off the ‘smbclt’ software to crash, no matter whether or not the ‘Information, Home windows’ person position is enabled or not,” it famous.
“An attacker would wish a sound DSID and ‘xsauth’ worth from an authenticated person to efficiently attain the susceptible code on a PCS server that has an open Home windows File Entry coverage.”
The disclosure of a brand new flaw arrives weeks after the Utah-based IT software program firm patched a number of vital safety vulnerabilities in Pulse Join Safe merchandise, together with CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900, the primary of which was discovered to be actively exploited in the wild by not less than two totally different menace actors.