Author: Melodie Foster

Date: 26th May 2021

 

The flaw could allow an unauthenticated, remote attacker to execute code as a user with root privileges.

The vulnerability has been given a CVSS score of 8.5 out of 10 and stems from a buffer overflow vulnerability in the Pulse Connect Secure gateway whereby a remote authenticated user with privileges to browse SMB shares could execute code as the root user.

Since there is currently no practical solution to this problem, Will Dormann, who discovered the vulnerability offered two workarounds.

The first being an XML workaround published by Pulse Secure which will protect the systems immediately and won’t require any downtime for the VPN system.  The workaround file blocks requests that match a specific URI pattern but Dormann warned that the PCS system must be running 9.1R11.4 before applying this workaround so it doesn’t reintroduce another vulnerability.

The second workaround includes setting a Windows File Access Policy. If the SMB policy is set to the default version where the Initial File Browsing Policy allows for \\* SMB connections, this will expose the vulnerability. Configuring the settings to deny these connections will reduce the attack surface.

Vulnerable versions of Pulse Connect Secure include 9.0Rx and 9.1Rx. [1]

[1] https://threatpost.com/pulse-secure-vpns-critical-rce/166437/

Other resources

Cyber success stories

Arcturus cybersecurity consultants work with everyone from public sector bodies and global businesses to SMEs and start-ups. Read our success stories here.
Find out more >

What can Arcturus do for you?

Check out our factsheets for detailed information on the matrix of cybersecurity products and services we offer to protect your business.
Find out more >

Arcturus deep dives

Arcturus cybersecurity consultants explore issues in cyber threat intelligence, incident planning and data security. Read our whitepapers to help make decisions that benefit your business.
Find out more >