Stop us if you've heard this one before: a remote-code execution vulnerability needs patching in Pulse Secure VPNs.
Professional code-probers at GoSecure uncovered a host of security flaws, including CVE-2020-8218, which it publicly disclosed this week after a patch was issued. The other holes are yet to be addressed, and so details on those remain under wraps for now.
What we do know is that CVE-2020-8218 can be exploited to execute code on the VPN system by tricking an administrator into, say, opening a URL.
That Pulse Secure VPN you're using to protect your data? Better get it patched – or it's going to be ransomware timeREAD MORE
"Many vulnerabilities had been found in previous versions of the VPN, so we were eager to see if we could find shortcomings of our own in the latest one," GoSecure's Jean-Frédéric Gauron explained. "After some time, we did manage to find several new vulnerabilities that allow, among other things, an unauthenticated user to run arbitrary code remotely (RCE). The RCE itself (CVE-2020-8218) requires to be authenticated with admin privileges but can also be triggered by an unsuspecting admin simply clicking on a malicious link."
Essentially, the Perl code powering the VPN's admin panel can be fooled into writing a user-controlled URL parameter to a cache file, and then passing that parameter from the cache file directly to the underlying operating system's command interpreter. Thus a malicious command to download and run malware can be executed on the box by opening a bad link.
Given the above advisory has all the information someone needs to build a working exploit, you should probably patch the bug. "While it does require to be authenticated, the fact that it can be triggered by a simple phishing attack on the right victim should be evidence enough that this vulnerability is not to be ignored," Gauron noted.
Updating to Pulse Connect Secure (PCS) 9.1R8 or Pulse Policy Secure (PPS) 9.1R8 fixes CVE-2020-8218 as well as vulnerabilities found by others, including CVE-2020-8206 ("Attacker can bypass the Google TOTP, if the primary credentials are exposed to attacker") and CVE-2020-8221 ("Authenticated attacker via the administrator web interface can read arbitrary files").
Researchers Maxime Nadeau, Romain Carnus, Simon Nolet, Jean-Frédéric Gauron, Temuujin Darkhantsetseg, and Julien Pineault were credited for finding CVE-2020-8218. ®