{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/667933#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nPulse Connect Secure (PCS) gateway contains a buffer overflow vulnerability in Samba-related code that may allow an authenticated remote attacker to execute arbitrary code.\r\n\r\n### Description\r\n**CVE-2021-22908**\r\n\r\nPCS includes the ability to connect to Windows file shares (SMB). This capability is provided by a number of CGI scripts, which in turn use libraries and helper applications based on Samba 4.5.10. When specifying a long server name for some SMB operations, the `smbclt` application may crash due to either a stack buffer overflow or a heap buffer overflow, depending on how long of a server name is specified. We have confirmed that PCS 9.1R11.4 systems are vulnerable, targeting a CGI endpoint of: `/dana/fb/smb/wnf.cgi`. Other CGI endpoints may also trigger the vulnerable code.  \r\n\r\nSpecifying a long server name to this endpoint may result in a PCS events log entry that may look like the following:  \r\n```\r\nCritical ERR31093 2021-05-24 14:05:37 - ive - [127.0.0.1] Root::System()[] - Program smbclt recently failed. \r\n```\r\n\r\nSuccessful exploitation of this vulnerability may not produce such a log entry if the program is cleanly exited during exploitation, or if the log files are sanitized after successful exploitation.\r\n\r\nIn order to be vulnerable, a PCS server must have a Windows File Access policy that **allows** `\\\\*` or it must have some other policy set that would allow an attacker to connect to an arbitrary server. In the administrative page for the PCS, see `Users -> Resource Policies -> Windows File Access Policies` to view your current SMB policy. Any PCS device that started as version 9.1R2 or earlier will have a default policy that allows connecting to arbitrary SMB hosts. Starting with 9.1R3, this policy was changed from a default allow to a default deny.\r\n\r\nNote that the vendor implies that the `Files, Window[sic]` access feature can be disabled for user roles in order to protect against this vulnerability. This is **NOT** the case. The vulnerable CGI endpoints are still reachable in ways that will trigger the `smbclt` application to crash, regardless of whether the `Files, Windows` user role is enabled or not. These steps are only included in the advisory to limit excessive errors showing up in PCS logs after the XML workaround has been installed.\r\n\r\nIn our testing, an attacker would need either valid PCS user credentials, or a `DSID` value from an authenticated user to successfully reach the vulnerable code on a PCS server that has an open Windows File Access policy. We have created a [PoC utility to test for PCS systems vulnerable to CVE-2021-22908](https://github.com/CERTCC/PoC-Exploits/tree/master/cve-2021-22908) as well as which mitigations may be applied.\r\n\r\n### Impact\r\nBy performing certain SMB operations with a specially-crafted server name, an authenticated attacker may be able to execute arbitrary code with root privileges on a vulnerable PCS server.\r\n\r\n### Solution\r\n#### Apply an update\r\nThis issue is addressed in PCS 9.1R11.5. Please see advisory [SA44800](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800) for more details.\r\n\r\n#### Apply an XML workaround\r\n\r\nPulse Secure has published advisory [SA44800](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800) that mentions a [Workaround-2105.xml](https://my.pulsesecure.net/) file that contains a mitigation to protect against this vulnerability. [Importing this XML workaround](https://docs.pulsesecure.net/WebHelp/PCS/9.1R1/AG/Content/PCS/PCS_AdminGuide_9.1R1/Importing_an_XML_Configuration.htm) will activate the protections immediately and does not require any downtime for the VPN system. This workaround will block requests that match the following URI patterns:\r\n```\r\n^/+dana/+fb/+smb\r\n^/+dana-cached/+fb/+smb\r\n```\r\n\r\n`Workaround-2105.xml` will automatically deactivate the mitigations applied by `Workaround-2104.xml` when it is installed. As such, it is imperative that a PCS system is running 9.1R11.4 **before** applying the `Workaround-2105.xml` mitigation, which will ensure that the vulnerabilities outlined in [SA44784](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784) are not reintroduced as the result of applying this workaround.\r\n\r\nNote that installing this workaround will block the ability to use the following feature:\r\n\r\n* Windows File Share Browser\r\n\r\n#### Set a Windows File Access Policy\r\n\r\nThis vulnerability relies on the ability to connect to an arbitrary SMB server name to trigger the vulnerability. A PCS system that started as version 9.1R3 or later will have a default Initial File Browsing Policy of **Deny** for `\\\\*` SMB connections. If you have a PCS system that started as 9.1R2 or earlier, it will retain the default Initial File Browsing Policy of **Allow** for `\\\\*` SMB connections, which will expose this vulnerability. In the administrative page for the PCS, see `Users -> Resource Policies -> Windows File Access Policies` to view your current SMB policy.\r\n\r\nIf your PCS has a policy that explicitly allows `\\\\*` or otherwise may allow users to initiate connections to arbitrary SMB server names, you should configure the PCS to **Deny** connections to such resources to minimize your PCS attack surface.\r\n\r\n\r\n### Acknowledgements\r\nThis vulnerability was reported by Will Dormann of the CERT/CC.\r\n\r\nThis document was written by Will Dormann.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"Buffer Overflow in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user. As of version 9.1R3, this permission is not enabled by default.","title":"Vendor statment from Pulse Secure"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/667933"},{"url":"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800","summary":"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800"},{"url":"https://github.com/CERTCC/PoC-Exploits/blob/master/cve-2021-22908/cve-2021-22908.py","summary":"https://github.com/CERTCC/PoC-Exploits/blob/master/cve-2021-22908/cve-2021-22908.py"},{"url":"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800","summary":"Reference(s) from vendor \"Ivanti\""},{"url":"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800/?kA23Z000000boUgSAI","summary":"Reference(s) from vendor \"Pulse Secure\""}],"title":"Pulse Connect Secure Samba buffer overflow","tracking":{"current_release_date":"2021-06-17T20:42:52+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#667933","initial_release_date":"2021-05-24 23:03:19.959238+00:00","revision_history":[{"date":"2021-06-17T20:42:52+00:00","number":"1.20210617204252.8","summary":"Released on 2021-06-17T20:42:52+00:00"}],"status":"final","version":"1.20210617204252.8"}},"vulnerabilities":[{"title":"Pulse Connect Secure contains a buffer overflow in Samba functionality.","notes":[{"category":"summary","text":"Pulse Connect Secure contains a buffer overflow in Samba functionality."}],"cve":"CVE-2021-22908","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#667933"}],"product_status":{"known_affected":["CSAFPID-07ab7a6a-39dc-11f1-8422-122e2785dc9f","CSAFPID-07abb9f8-39dc-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Ivanti","product":{"name":"Ivanti Products","product_id":"CSAFPID-07ab7a6a-39dc-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Pulse Secure","product":{"name":"Pulse Secure Products","product_id":"CSAFPID-07abb9f8-39dc-11f1-8422-122e2785dc9f"}}]}}