2: Set a Windows File Access Policyĭormann said that a PCS system that started as 9.1R2 or earlier will retain the default Initial File Browsing Policy of Allow for \\* SMB connections, which will expose this vulnerability. The workaround will block the ability to use Windows File Share Browser.
That makes it “imperative that a PCS system is running 9.1R11.4 before applying the Workaround-2105.xml mitigation,” he said, to ensure that the vulnerabilities outlined in SA44784 aren’t reintroduced as the result of applying the workaround. The workaround blocks requests that match these URI patterns:ĭormann advised users to note that Workaround-2105.xml will automatically deactivate the mitigations applied by an earlier workaround, Workaround-2104.xml. “Importing this XML workaround will activate the protections immediately,” according to Dormann’s report, and “does not require any downtime for the VPN system. Pulse Secure has published a quick fix: a Workaround-2105.xml file with a mitigation to protect against the vulnerability. There’s currently no practical solution to this problem, at least not that CERT/CC is aware of, according to Will Dormann, who both discovered the vulnerability and wrote up the CERT/CC report. PCS 9.1R11.4 systems are vulnerable: CERT/CC said that it’s managed to trigger the vulnerability by targeting the CGI script /dana/fb/smb/wnf.cgi, although “Other CGI endpoints may also trigger the vulnerable code.” “When specifying a long server name for some SMB operations, the smbclt application may crash due to either a stack buffer overflow or a heap buffer overflow, depending on how long of a server name is specified,” CERT/CC noted. CERT/CC explained that the gateway’s ability to connect to Windows file shares through a number of CGI endpoints could be leveraged to carry out an attack. The CERT Coordination Center issued a report about the vulnerability, explaining that the problem stems from a buffer overflow vulnerability in the PCS gateway. “As of version 9.1R3, this permission is not enabled by default.”
“Buffer Overflow in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user,” according to the advisory.
The company explained that this high-severity bug – identified as CVE-2021-22908 and rated CVSS 8.5 – affects Pulse Connect Secure versions 9.0Rx and 9.1Rx. Pulse Secure’s parent company, Ivanti, issued an out-of-band advisory on May 14. Pulse Secure has issued a workaround for a critical remote-code execution (RCE) vulnerability in its Pulse Connect Secure (PCS) VPNs that may allow an unauthenticated, remote attacker to execute code as a user with root privileges.