Flawed password reset system opened the door to full account takeover
Customers of the Pega Infinity enterprise software program platform are being suggested to replace their installations after a vulnerability was found by safety researchers.
Based on the analysis workforce – Sam Curry, Justin Rhinehart, Brett Buerhaus, and Maik Robert – CVE-2021-27651 is a critical-risk vulnerability in variations 8.2.1 to eight.5.2 of Pega’s Infinity software program.
The proof of idea demonstrates how an attacker may bypass Pega Infinity’s password reset system.
Assailants may then use the reset account to “totally compromise” the Pega occasion, via administrator-only remote code execution. This might embrace modifying dynamic pages, or templating.
The researchers labored with developer Pegasystems to develop a hot fix for the software program.
The seller recommends that prospects operating the software program on-premises ought to verify if their model is affected and apply the related scorching repair.
Enterprise software program pwnage
Pega Infinity is a well-liked enterprise software program suite, with over 2,000 customers. The bundle contains customer support and gross sales automation, an AI-driven ‘buyer resolution hub’, workforce intelligence, and a ‘no-code’ improvement platform.
The safety researchers got here throughout the Pega Infinity vulnerability via participation in Apple’s bug bounty program.
“We’d been hacking on Apple’s bug bounty program for about six months and had spent a whole lot of time on software program produced by Apple themselves,” UK-based hacker Sam Curry advised The Each day Swig.
“We had determined to change routes and goal distributors [supplying technology to Apple] as a substitute after studying a blog post from two superior researchers.”
Behind the bug
The researchers used Burp Suite to find the password reset weak spot in Pega Infinity.
This permits a full compromise of any Pega occasion with “no prerequisite data”, in accordance with Curry.
As well as, Justin Rhinehart developed a Nuclei template to find out whether or not software program is operating Pega Infinity.
“These methods are largely public going through and aren’t essentially designed to be run internally, so on the time of reporting there was numerous affected prospects operating Pega Infinity externally,” Curry defined.
“Pega’s prospects are from each sector and on the time of reporting a number of the prospects included the FBI, US Air Pressure, Apple, American Categorical, and some different big names.”
Curry says that Pega was fast to work with the researchers to patch the vulnerability, though they wanted time for patrons operating Infinity on-premises to replace their installations. This course of, Curry mentioned, took over three months.
The Each day Swig has invited Pegasystems to touch upon the findings.