Ivanti, the corporate behind Pulse Safe VPN home equipment, has revealed a safety advisory for a excessive severity vulnerability that will permit an authenticated distant attacker to execute arbitrary code with elevated privileges.
“Buffer Overflow in Home windows File Useful resource Profiles in 9.X permits a distant authenticated consumer with privileges to browse SMB shares to execute arbitrary code as the basis consumer,” the corporate said in an alert revealed on Could 14. “As of model 9.1R3, this permission is just not enabled by default.”
The flaw, recognized as CVE-2021-22908, has a CVSS rating of 8.5 out of a most of 10 and impacts Pulse Join Safe variations 9.0Rx and 9.1Rx. In a report detailing the vulnerability, the CERT Coordination Heart mentioned the problem stems from the gateway’s means to hook up with Home windows file shares via a variety of CGI endpoints that may very well be leveraged to hold out the assault.
“When specifying a protracted server title for some SMB operations, the ‘smbclt’ software might crash as a result of both a stack buffer overflow or a heap buffer overflow, relying on how lengthy of a server title is specified,” CERT/CC detailed in a vulnerability notice revealed on Monday, including it was capable of set off the susceptible code by concentrating on the CGI script ‘/dana/fb/smb/wnf.cgi.’
Pulse Safe clients are beneficial to improve to PCS Server model 9.1R.11.5 when it turns into accessible. Within the interim, Ivanti has revealed a workaround file (‘Workaround-2105.xml’) that may be imported to disable the Home windows File Share Browser characteristic by including the susceptible URL endpoints to a blocklist and thus activate obligatory mitigations to guard towards this vulnerability.
It bears noting that customers operating PCS variations 9.1R11.3 or under would want to import a special file named ‘Workaround-2104.xml,‘ necessitating that the PCS system is operating 9.1R11.4 earlier than making use of the safeguards in ‘Workaround-2105.xml.’
Whereas Ivanti has beneficial turning off Home windows File Browser on the Admin UI by disabling the choice ‘Information, Window [sic]’ for particular consumer roles, CERT/CC discovered the steps have been insufficient to guard towards the flaw throughout its testing.
“The susceptible CGI endpoints are nonetheless reachable in methods that can set off the ‘smbclt’ software to crash, no matter whether or not the ‘Information, Home windows’ consumer function is enabled or not,” it famous.
“An attacker would want a legitimate DSID and ‘xsauth’ worth from an authenticated consumer to efficiently attain the susceptible code on a PCS server that has an open Home windows File Entry coverage.”
The disclosure of a brand new flaw arrives weeks after the Utah-based IT software program firm patched a number of important safety vulnerabilities in Pulse Join Safe merchandise, together with CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900, the primary of which was discovered to be actively exploited in the wild by no less than two totally different menace actors.