Ivanti addressed a high severity Buffer Overflow vulnerability in Secure VPN appliances that could allow a remote authenticated attacker to execute arbitrary code with elevated privileges.
The vulnerability tracked as CVE-2021-22908, has received a CVSS score of 8.5, it impacts Pulse Connect Secure versions 9.0Rx and 9.1Rx.
“Buffer Overflow in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user. As of version 9.1R3, this permission is not enabled by default.” reads the security advisory published by the company. “The solution for this vulnerability is to upgrade the Pulse Connect Secure server software version to the 9.1R.11.5. We will update the advisory once the timelines are available.”
The CERT Coordination Center also published an advisory about the vulnerability which ties to the capability of Pulse Connect Secure appliances to connect to Windows file shares (SMB). According to the CERT, the capability is implemented by a number of CGI scripts that use libraries and helper applications based on Samba 4.5.10.
“When specifying a long server name for some SMB operations, the smbclt application may crash due to either a stack buffer overflow or a heap buffer overflow, depending on how long of a server name is specified. We have confirmed that PCS 9.1R11.4 systems are vulnerable, targeting a CGI endpoint of: /dana/fb/smb/wnf.cgi. Other CGI endpoints may also trigger the vulnerable code.” reads the alert published by the CERT Coordination Center. “Specifying a long server name to this endpoint may result in a PCS events log entry that may look like the following:
Critical ERR31093 2021-05-24 14:05:37 - ive - [127.0.0.1] Root::System() - Program smbclt recently failed.
“Successful exploitation of this vulnerability may not produce such a log entry if the program is cleanly exited during exploitation, or if the log files are sanitized after successful exploitation.”
It allows disabling the Windows File Share Browser feature by adding the vulnerable URL endpoints to a blocklist, the vendor pointed out that it does not require any downtime for the VPN system.
Importing this XML workaround will activate the protections immediately and does not require any downtime for the VPN system. Versions prior 9.1R11.3 would need to import the ‘Workaround-2104.xml‘ file.
“The vulnerable CGI endpoints are still reachable in ways that will trigger the ‘smbclt’ application to crash, regardless of whether the ‘Files, Windows’ user role is enabled or not,” continues the advisory. “An attacker would need a valid DSID and ‘xsauth’ value from an authenticated user to successfully reach the vulnerable code on a PCS server that has an open Windows File Access policy.”
(SecurityAffairs – hacking, VPN)