Author: Melodie Foster
Date: 26th May 2021
The flaw could allow an unauthenticated, remote attacker to execute code as a user with root privileges.
The vulnerability has been given a CVSS score of 8.5 out of 10 and stems from a buffer overflow vulnerability in the Pulse Connect Secure gateway whereby a remote authenticated user with privileges to browse SMB shares could execute code as the root user.
Since there is currently no practical solution to this problem, Will Dormann, who discovered the vulnerability offered two workarounds.
The first being an XML workaround published by Pulse Secure which will protect the systems immediately and won’t require any downtime for the VPN system. The workaround file blocks requests that match a specific URI pattern but Dormann warned that the PCS system must be running 9.1R11.4 before applying this workaround so it doesn’t reintroduce another vulnerability.
The second workaround includes setting a Windows File Access Policy. If the SMB policy is set to the default version where the Initial File Browsing Policy allows for \\* SMB connections, this will expose the vulnerability. Configuring the settings to deny these connections will reduce the attack surface.
Vulnerable versions of Pulse Connect Secure include 9.0Rx and 9.1Rx. 
Arcturus deep dives
Arcturus cybersecurity consultants explore issues in cyber threat intelligence, incident planning and data security. Read our whitepapers to help make decisions that benefit your business.
Find out more >