Pulse Secure has released an urgent fix for a critical post-authentication remote code execution (RCE) vulnerability discovered in the Connect Secure VPN appliances to work around an incomplete patch for a widely exploited flaw. Previously, an attempt to resolve the flaw was made in October 2020.
Problem Overview
The flaw allows the attacker to overwrite arbitrary files, which results in the Remote Code Execution as the root. The vulnerability is a bypass for the patch of CVE-2020-8260. With such control, the attacker has the ability to circumvent-
- Restrictions enforced by the web application
- Permission for the creation of a persistent backdoor
- Remounting file system
- Extraction and decryption of credentials
- Compromise VPN clients.
List Of Vulnerabilities
As many as six security vulnerabilities have been discovered. Ivanti published this in an advisory. Ivanti also urges users to upgrade to Pulse Connect Secure V 9.1R12 to secure themselves against any exploitation targeting the flaws.
CVE-2021-22937 (CVSS score: 9.1) flaw allows the attacker to perform a file write via an archive, crafted maliciously. It was later uploaded to the administrator web interface.
CVE-2020-8260 (CVSS score: 7.2) flaw concerns an arbitrary code execution with an uncontrollable gzip extraction. This was patched in October 2020.
The vulnerability is caused by a flaw in the manner in which archive files (.TAR) are extracted in the admin web interface. Further authentication procedures were added to authenticate the TAR file for prevention against exploitation of CVE-2020-8260. But, patch analysis and additional variants revealed that exploitation of the same vulnerability, in the specific part of the source code that manages the profiler device databases, is possible. This helps to effectively get around the mitigations set in place.
CVE-2020-8260 was one of the four flaws of Pulse Secure that was widely exploited by cybercriminals. It was used to stage a series of intrusions whose targets were the government, defense, and financial entities in the United States and beyond. The motive was to circumvent multi-factor authentication protections and for breaching enterprise networks. With increasing possibilities of exploitation by cybercriminals, it is highly recommended to upgrade to Pulse Connect V 9.1R12, or other later versions.