Ivanti, the corporate behind Pulse Safe VPN home equipment, has revealed a safety advisory for a excessive severity vulnerability which will permit an authenticated distant attacker to execute arbitrary code with elevated privileges.
“Buffer Overflow in Home windows File Useful resource Profiles in 9.X permits a distant authenticated consumer with privileges to browse SMB shares to execute arbitrary code as the basis consumer,” the corporatein an alert revealed on Could 14. “As of model 9.1R3, this permission shouldn’t be enabled by default.”
The flaw, recognized as CVE-2021-22908, has a CVSS rating of 8.5 out of a most of 10 and impacts Pulse Join Safe variations 9.0Rx and 9.1Rx. In a report detailing the vulnerability, the CERT Coordination Middle mentioned the problem stems from the gateway’s means to hook up with Home windows file shares by way of plenty of CGI endpoints that may very well be leveraged to hold out the assault.
“When specifying an extended server title for some SMB operations, the ‘smbclt’ utility could crash as a consequence of both a stack buffer overflow or a heap buffer overflow, relying on how lengthy of a server title is specified,” CERT/CCin a vulnerability be aware revealed on Monday, including it was in a position to set off the susceptible code by concentrating on the CGI script ‘/dana/fb/smb/wnf.cgi.’
Pulse Safe clients are advisable to improve to PCS Server model 9.1R.11.5 when it turns into out there. Within the interim, Ivanti has revealed a workaround file (‘Workaround-2105.xml’) that may be imported to disable the Home windows File Share Browser function by including the susceptible URL endpoints to a blocklist and thus activate essential mitigations to guard in opposition to this vulnerability.
It bears noting that customers working PCS variations 9.1R11.3 or beneath would want to import a distinct file named ‘‘ necessitating that the PCS system is working 9.1R11.4 earlier than making use of the safeguards in ‘Workaround-2105.xml.’
Whereas Ivanti has advisable turning off Home windows File Browser on the Admin UI by disabling the choice ‘Recordsdata, Window [sic]’ for particular consumer roles, CERT/CC discovered the steps have been insufficient to guard in opposition to the flaw throughout its testing.
“The susceptible CGI endpoints are nonetheless reachable in methods that may set off the ‘smbclt’ utility to crash, no matter whether or not the ‘Recordsdata, Home windows’ consumer function is enabled or not,” it famous.
“An attacker would want a sound DSID and ‘xsauth’ worth from an authenticated consumer to efficiently attain the susceptible code on a PCS server that has an open Home windows File Entry coverage.”
The disclosure of a brand new flaw arrives weeks after the Utah-based IT software program firma number of crucial safety vulnerabilities in Pulse Join Safe merchandise, together with CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900, the primary of which was discovered to be actively by at the very least two totally different risk actors.