New Workaround Issued for Critical RCE Vulnerability in Pulse Secure VPNs

critical RCE vunerability pulse secure vpn featured imaage

Pulse Secure is offering a quick fix for a critical-remote code (RCE) vulnerability in its popular VPN software known as Pulse Connect Secure. This PCS vulnerability may enable breaches by remote attackers who can execute code as users with root privileges.

Ivanti, Pulse Secure’s parent company, reported that the bug affects Pulse Secure versions 9.0Rx and 9.1Rx. The bug was identified as CVE-2021-22908 and rated 8.5 on the Common Vulnerability Scoring System. Meanwhile, a report by the CERT Coordination Center explains that the problem comes from a buffer overflow vulnerability in the PCS gateway.

The report was authored by a Software Vulnerability Analyst at CERT, Will Dormann, who also discovered the bug. Dormann doesn’t believe that there is a realistic solution to the problem at the moment. However, the analyst offered two possible workarounds:

1. An XML workaround

This involves a Workaround-2105.xml file with a mitigation to protect users against the vulnerability. The protections are activated as soon as the XML workaround is imported and doesn’t require any downtime for the VPN system.

It blocks requests that match these URI patterns:

^/+dana/+fb/+smb
^/+dana-cached/+fb/+smb

The users should also note that this workaround blocks their ability to use Windows File Share Browser.

2. Setting a Windows File Access Policy

The vulnerability is triggered by connecting to an arbitrary SMB server name. The PCS system that started as 9.1R2 or earlier will keep the default Initial File Browsing Policy which uncovers the vulnerability.

Dormann advised users to check the PSC admin page. They can do that by going to Users > Resource Policies > Windows File Access Policies, where they can check the ongoing SMB policy. Those who have a PCS policy, which allows users to initiate connections to arbitrary SMB server names, need to configure the PSC to deny connections to such resources.