Patch Bypass PoC for Pulse Connect Secure Calls for Emergency Update

  • Researcher finds a way to bypass 2020 Pulse Connect Secure mitigation for severe RCE flaw.
  • It took the company two months to assess the report and one more month to release a fix.
  • The proof of concept exploit is out in the form of a screenshot, but more details will be published soon.

Pulse Connect Secure, the widely deployed business-grade VPN by Ivanti, needs to be updated to version 9.1R12 as soon as possible, as a bypass PoC (proof of concept) exploit for a bug that was fixed last year is already out there. The vulnerability is ‘CVE-2020-8260’, which was thought to affect versions below 9.1R9, allowing an authenticated attacker to perform arbitrary code execution using uncontrolled gzip extraction. However, as researchers at the NCC Group explain, the validations that were added to prevent exploitation can be bypassed.

By simply changing a single POST parameter variable in the original CVE-2020-8260 exploit, the extraction vulnerability can be displaced elsewhere (CGI files), so code execution would be achieved on the latest and fully patched Pulse Connect Secure products. As the researcher explains, adjusting the PoC for the 2020 bug to exploit the VPN software today was pretty trivial.

Source: NCC Group

This was discovered and reported to Ivanti on May 12, 2021, through the HackerOne platform. The firm wasn’t quick to respond and confirm the problem, as it took them two months to get back to the researcher’s (Richard Warren) report. The fix eventually landed on August 2, 2021, and now, an advisory to give away some details was published.

Version 9.1R12 addresses a total of six vulnerabilities, all categorized as critical, with the bypass plug being CVE-2021-22937. To clarify, the PoC published by the researcher only shows a screenshot, as it’s too early to give away everything only three days after the patch was made available to users of the product. However, sophisticated actors may have already gotten all they needed to proceed with weaponization, so delaying the update shouldn’t be an option.

Also, it is worth pointing out that an attacker would still need to access an administrator account to exploit this vulnerability, so some form of phishing or credential stuffing must occur beforehand. This somewhat lessens the severity and limits the scope, but organizations shouldn’t rely on that.

Corales Puntacana Championship Live Stream 2023: How to Watch PGA Tour Online from Anywhere
Golf fans have been treated to some enthralling events in recent weeks. The action continues this week, with the 2023 Corales Puntacana...
How to Watch Macy Murdoch Online: Stream the 2023 Spin-Off Series from Anywhere
Macy Murdoch is a new original tween mystery series, and we have the episode guide and release schedule, premiere date, cast, and...
Euro 2024 Qualifiers Live Stream: How to Watch International Soccer Online from Anywhere
The road to Euro 2024 is about to get underway, and Europe’s leading soccer stars will be battling it out to qualify...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari