{"vuid":"VU#667933","idnumber":"667933","name":"Pulse Connect Secure Samba buffer overflow","keywords":null,"overview":"### Overview\r\n\r\nPulse Connect Secure (PCS) gateway contains a buffer overflow vulnerability in Samba-related code that may allow an authenticated remote attacker to execute arbitrary code.\r\n\r\n### Description\r\n**CVE-2021-22908**\r\n\r\nPCS includes the ability to connect to Windows file shares (SMB). This capability is provided by a number of CGI scripts, which in turn use libraries and helper applications based on Samba 4.5.10. When specifying a long server name for some SMB operations, the `smbclt` application may crash due to either a stack buffer overflow or a heap buffer overflow, depending on how long of a server name is specified. We have confirmed that PCS 9.1R11.4 systems are vulnerable, targeting a CGI endpoint of: `/dana/fb/smb/wnf.cgi`. Other CGI endpoints may also trigger the vulnerable code.  \r\n\r\nSpecifying a long server name to this endpoint may result in a PCS events log entry that may look like the following:  \r\n```\r\nCritical ERR31093 2021-05-24 14:05:37 - ive - [127.0.0.1] Root::System()[] - Program smbclt recently failed. \r\n```\r\n\r\nSuccessful exploitation of this vulnerability may not produce such a log entry if the program is cleanly exited during exploitation, or if the log files are sanitized after successful exploitation.\r\n\r\nIn order to be vulnerable, a PCS server must have a Windows File Access policy that **allows** `\\\\*` or it must have some other policy set that would allow an attacker to connect to an arbitrary server. In the administrative page for the PCS, see `Users -> Resource Policies -> Windows File Access Policies` to view your current SMB policy. Any PCS device that started as version 9.1R2 or earlier will have a default policy that allows connecting to arbitrary SMB hosts. Starting with 9.1R3, this policy was changed from a default allow to a default deny.\r\n\r\nNote that the vendor implies that the `Files, Window[sic]` access feature can be disabled for user roles in order to protect against this vulnerability. This is **NOT** the case. The vulnerable CGI endpoints are still reachable in ways that will trigger the `smbclt` application to crash, regardless of whether the `Files, Windows` user role is enabled or not. These steps are only included in the advisory to limit excessive errors showing up in PCS logs after the XML workaround has been installed.\r\n\r\nIn our testing, an attacker would need either valid PCS user credentials, or a `DSID` value from an authenticated user to successfully reach the vulnerable code on a PCS server that has an open Windows File Access policy. We have created a [PoC utility to test for PCS systems vulnerable to CVE-2021-22908](https://github.com/CERTCC/PoC-Exploits/tree/master/cve-2021-22908) as well as which mitigations may be applied.\r\n\r\n### Impact\r\nBy performing certain SMB operations with a specially-crafted server name, an authenticated attacker may be able to execute arbitrary code with root privileges on a vulnerable PCS server.\r\n\r\n### Solution\r\n#### Apply an update\r\nThis issue is addressed in PCS 9.1R11.5. Please see advisory [SA44800](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800) for more details.\r\n\r\n#### Apply an XML workaround\r\n\r\nPulse Secure has published advisory [SA44800](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800) that mentions a [Workaround-2105.xml](https://my.pulsesecure.net/) file that contains a mitigation to protect against this vulnerability. [Importing this XML workaround](https://docs.pulsesecure.net/WebHelp/PCS/9.1R1/AG/Content/PCS/PCS_AdminGuide_9.1R1/Importing_an_XML_Configuration.htm) will activate the protections immediately and does not require any downtime for the VPN system. This workaround will block requests that match the following URI patterns:\r\n```\r\n^/+dana/+fb/+smb\r\n^/+dana-cached/+fb/+smb\r\n```\r\n\r\n`Workaround-2105.xml` will automatically deactivate the mitigations applied by `Workaround-2104.xml` when it is installed. As such, it is imperative that a PCS system is running 9.1R11.4 **before** applying the `Workaround-2105.xml` mitigation, which will ensure that the vulnerabilities outlined in [SA44784](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784) are not reintroduced as the result of applying this workaround.\r\n\r\nNote that installing this workaround will block the ability to use the following feature:\r\n\r\n* Windows File Share Browser\r\n\r\n#### Set a Windows File Access Policy\r\n\r\nThis vulnerability relies on the ability to connect to an arbitrary SMB server name to trigger the vulnerability. A PCS system that started as version 9.1R3 or later will have a default Initial File Browsing Policy of **Deny** for `\\\\*` SMB connections. If you have a PCS system that started as 9.1R2 or earlier, it will retain the default Initial File Browsing Policy of **Allow** for `\\\\*` SMB connections, which will expose this vulnerability. In the administrative page for the PCS, see `Users -> Resource Policies -> Windows File Access Policies` to view your current SMB policy.\r\n\r\nIf your PCS has a policy that explicitly allows `\\\\*` or otherwise may allow users to initiate connections to arbitrary SMB server names, you should configure the PCS to **Deny** connections to such resources to minimize your PCS attack surface.\r\n\r\n\r\n### Acknowledgements\r\nThis vulnerability was reported by Will Dormann of the CERT/CC.\r\n\r\nThis document was written by Will Dormann.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800","https://github.com/CERTCC/PoC-Exploits/blob/master/cve-2021-22908/cve-2021-22908.py"],"cveids":["CVE-2021-22908"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2021-05-24T23:03:20.220116Z","publicdate":"2021-05-24T23:03:19.959238Z","datefirstpublished":"2021-05-24T23:03:20.245728Z","dateupdated":"2021-06-17T20:42:52.214282Z","revision":8,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":45}