Pulse Connect Secure (PCS) gateway contains a buffer overflow vulnerability in Samba-related code that may allow an authenticated remote attacker to execute arbitrary code.
PCS includes the ability to connect to Windows file shares (SMB). This capability is provided by a number of CGI scripts, which in turn use libraries and helper applications based on Samba 4.5.10. When specifying a long server name for some SMB operations, the
smbclt application may crash due to either a stack buffer overflow or a heap buffer overflow, depending on how long of a server name is specified. We have confirmed that PCS 9.1R11.4 systems are vulnerable, targeting a CGI endpoint of:
/dana/fb/smb/wnf.cgi. Other CGI endpoints may also trigger the vulnerable code.
Specifying a long server name to this endpoint may result in a PCS events log entry that may look like the following:
Critical ERR31093 2021-05-24 14:05:37 - ive - [127.0.0.1] Root::System() - Program smbclt recently failed.
Successful exploitation of this vulnerability may not produce such a log entry if the program is cleanly exited during exploitation, or if the log files are sanitized after successful exploitation.
In order to be vulnerable, a PCS server must have a Windows File Access policy that allows
\\* or it must have some other policy set that would allow an attacker to connect to an arbitrary server. In the administrative page for the PCS, see
Users -> Resource Policies -> Windows File Access Policies to view your current SMB policy. Any PCS device that started as version 9.1R2 or earlier will have a default policy that allows connecting to arbitrary SMB hosts. Starting with 9.1R3, this policy was changed from a default allow to a default deny.
Note that the vendor implies that the
Files, Window[sic] access feature can be disabled for user roles in order to protect against this vulnerability. This is NOT the case. The vulnerable CGI endpoints are still reachable in ways that will trigger the
smbclt application to crash, regardless of whether the
Files, Windows user role is enabled or not. These steps are only included in the advisory to limit excessive errors showing up in PCS logs after the XML workaround has been installed.
In our testing, an attacker would need either valid PCS user credentials, or a
DSID value from an authenticated user to successfully reach the vulnerable code on a PCS server that has an open Windows File Access policy. We have created a PoC utility to test for PCS systems vulnerable to CVE-2021-22908 as well as which mitigations may be applied.
By performing certain SMB operations with a specially-crafted server name, an authenticated attacker may be able to execute arbitrary code with root privileges on a vulnerable PCS server.
Apply an update
This issue is addressed in PCS 9.1R11.5. Please see advisory SA44800 for more details.
Apply an XML workaround
Pulse Secure has published advisory SA44800 that mentions a Workaround-2105.xml file that contains a mitigation to protect against this vulnerability. Importing this XML workaround will activate the protections immediately and does not require any downtime for the VPN system. This workaround will block requests that match the following URI patterns:
Workaround-2105.xml will automatically deactivate the mitigations applied by
Workaround-2104.xml when it is installed. As such, it is imperative that a PCS system is running 9.1R11.4 before applying the
Workaround-2105.xml mitigation, which will ensure that the vulnerabilities outlined in SA44784 are not reintroduced as the result of applying this workaround.
Note that installing this workaround will block the ability to use the following feature:
- Windows File Share Browser
Set a Windows File Access Policy
This vulnerability relies on the ability to connect to an arbitrary SMB server name to trigger the vulnerability. A PCS system that started as version 9.1R3 or later will have a default Initial File Browsing Policy of Deny for
\\* SMB connections. If you have a PCS system that started as 9.1R2 or earlier, it will retain the default Initial File Browsing Policy of Allow for
\\* SMB connections, which will expose this vulnerability. In the administrative page for the PCS, see
Users -> Resource Policies -> Windows File Access Policies to view your current SMB policy.
If your PCS has a policy that explicitly allows
\\* or otherwise may allow users to initiate connections to arbitrary SMB server names, you should configure the PCS to Deny connections to such resources to minimize your PCS attack surface.
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
|Date First Published:||2021-05-24|
|Date Last Updated:||2021-06-17 20:42 UTC|