Patch bypass flaw in Pulse Secure VPNs can lead to total compromise (CVE-2021-22937)
The patch for a vulnerability (CVE-2020-8260) in Pulse Connect Secure VPN devices that attackers have been exploiting in the wild can be bypassed, security researcher Rich Warren has found. This new patch bypass vulnerability that could lead to remote code execution has been assigned a separate identification number (CVE-2021-22937) and has been fixed by Ivanti Pulse Secure on Monday (along with several other bugs).
While Warren hasn’t released a usable PoC, he has explained how the CVE-2020-8260 patch can be bypassed by simply changing a parameter variable in the original exploit. Such a simple change can be easily reproduced by attackers.
CVE-2021-22937 is an uncontrolled archive extraction vulnerability that allows an attacker to overwrite arbitrary files.
“Successful exploitation of this issue results in Remote Code Execution on the underlying Operating System with root privileges. An attacker with such access will be able to circumvent any restrictions enforced via the web application, as well as remount the filesystem, allowing them to create a persistent backdoor, extract and decrypt credentials, compromise VPN clients, or pivot into the internal network,” Warren explained.
Ivanti Pulse Secure noted on Monday that, to their knowledge, none of the CVEs they fixed in the latest version of PCS (9.1R12) are under active exploitation. Nevertheless, they urge enterprise admins to upgrade their installations as soon as possible.
“In addition to addressing the CVEs, PCS version 9.1R12 includes enhanced features such as the incorporation of our Pulse Security Integrity Checker Tool directly into the product to create a seamless, more secure customer experience. This built-in feature eliminates the need for scheduled downtime to run an integrity check,” the company added.
UPDATE (August 7, 2021, 04:40 a.m. PT):
“A rigorous code review is just one of the steps we are taking to further bolster our security and protect our customers. For instance, we are also further expanding our existing internal product security resources to ramp up the pace and intensity of testing on existing products as well as those of companies or systems that we integrate into Ivanti,” Daniel Spicer, VP, Security at Ivanti, commented.
“Security threats across the industry will unfortunately persist. We will continue to partner closely with customers, law enforcement, government agencies and others in the security industry to help identify, prevent and mitigate new and emerging threats and protect our customers. We are grateful to researchers who bring concerns to our attention and would direct any researchers or customers to our Responsible Disclosure Policy.”