Pulse Secure has shipped a fix for a critical post-authentication remote code execution (RCE) vulnerability in its Connect Secure virtual private network (VPN) appliances to address an incomplete patch for an actively exploited flaw it previously resolved in October 2020.
“The Pulse Connect Secure appliance suffers from an uncontrolled archive extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in Remote Code Execution as root,” NCC Group’s Richard Warren disclosed on Friday. “This vulnerability is a bypass of the patch for CVE-2020-8260.”
“An attacker with such access will be able to circumvent any restrictions enforced via the web application, as well as remount the filesystem, allowing them to create a persistent backdoor, extract and decrypt credentials, compromise VPN clients, or pivot into the internal network,” Warren added.
The disclosure comes days after Ivanti, the company behind Pulse Secure, published an advisory for as many as six security vulnerabilities on August 2, urging customers to move quickly to update to Pulse Connect Secure version 9.1R12 to secure against any exploitation attempts targeting the flaws.
Tracked as CVE-2021-22937 (CVSS score: 9.1), the shortcoming could “allow an authenticated administrator to perform a file write via a maliciously crafted archive uploaded in the administrator web interface,” according to Pulse Secure. CVE-2020-8260 (CVSS core: 7.2), which concerns an arbitrary code execution flaw using uncontrolled gzip extraction, was remediated in October 2020 with version 9.1R9.
The vulnerability is due to a flaw in the way that archive files (.TAR) are extracted in the administrator web interface. While further checks were added to validate the TAR file to prevent exploitation of CVE-2020-8260, additional variant and patch analysis revealed that it’s possible to exploit the same extraction vulnerability in the part of the source code that handles profiler device databases, effectively getting around the mitigations put in place.
“Whilst this issue was patched by adding validation to extracted files, this validation does not apply to archives with the ‘profiler’ type,” Warren said. “Therefore, by simply modifying the original CVE-2020-8260 exploit to change the archive type to ‘profiler’, the patch can be bypassed, and code execution achieved.”
It’s worth noting that CVE-2020-8260 was one among the four Pulse Secure flaws that was actively exploited by threat actors earlier this April to stage a series of intrusions targeting defense, government, and financial entities in the U.S. and beyond in a bid to circumvent multi-factor authentication protections and breach enterprise networks. Given the possibility of real-world exploitation, it’s highly recommended to upgrade to Pulse Connect Secure (PCS) 9.1R12, or later.
“A rigorous code review is just one of the steps we are taking to further bolster our security and protect our customers,” Daniel Spicer, Invanti’s vice president of security, said. “For instance, we are also further expanding our existing internal product security resources to ramp up the pace and intensity of testing on existing products as well as those of companies or systems that we integrate into Ivanti.”