Pulse Secure VPNs Receive Urgent New Update for Poorly Fixed Critical Defects
Pulse Secure sent a patch for a post-authentication critical remote code execution (RCE) vulnerability in its Connect Secure virtual private network (VPN) appliances to fix an incomplete patch for an actively exploited vulnerability that it had previously resolved in October 2020.
“The Pulse Connect Secure appliance suffers from an uncontrolled archive extraction vulnerability that allows an attacker to overwrite arbitrary files, resulting in remote code execution as root,” Richard Warren revealed Friday by NCC Group. “This vulnerability is a bypass of the patch for CVE-2020-8260.”
“An attacker with such access will be able to bypass any restrictions imposed through the web application, as well as remount the file system, which will allow them to create a persistent backdoor, extract and decrypt the information. identification, compromising VPN clients, or pivoting into the internal network, ”Warren added.
The disclosure comes days after Ivanti, the company behind Pulse Secure, posted an advisory on up to six security vulnerabilities on August 2, urging customers to quickly upgrade to Pulse Connect Secure version 9.1R12. to protect against any attempted exploitation targeting vulnerabilities. .
Tracked as CVE-2021-22937 (CVSS score: 9.1), the loophole could “allow an authenticated administrator to perform a file write through a maliciously crafted archive uploaded to the administrator web interface” , according to Pulse Secure. CVE-2020-8260 (CVSS core: 7.2), which concerns an arbitrary code execution flaw using uncontrolled gzip extraction, was fixed in October 2020 with version 9.1R9.
The vulnerability is caused by a flaw in the way archive (.TAR) files are extracted in the administrator’s web interface. While further checks have been added to validate the TAR file to prevent exploitation of CVE-2020-8260, further analysis of variants and fixes has revealed that it is possible to exploit the same vulnerability of CVE-2020-8260. ‘extraction in the part of the source code that manages the databases of the profiler devices, thus getting around the mitigation measures put in place.
“Although this issue has been corrected by adding validation to checked out files, that validation does not apply to ‘profiler’ type archives,” Warren said. “Therefore, by simply modifying the original CVE-2020-8260 exploit to change the archive type to ‘profiler’, the fix can be bypassed and code execution achieved.”
It should be noted that CVE-2020-8260 was one of four loopholes in Pulse Secure that was actively exploited by threat actors in early April to stage a series of intrusions targeting defense, the government and financial entities in the United States and beyond in an attempt to bypass multifactor authentication protections and breach corporate networks. Due to the possibility of real world operation, it is strongly recommended to upgrade to Pulse Connect Secure (PCS) 9.1R12 or later.
“A rigorous code review is just one step we take to further strengthen our security and protect our customers,” said Daniel Spicer, vice president of security at Invanti. “For example, we are also further expanding our existing internal product safety resources to accelerate the pace and intensity of testing on existing products as well as those of the companies or systems that we integrate into Ivanti.