TeamHood 
US Cert in coordination with Carnegie Mellon University has disclosed a Buffer Overflow vulnerability in Pulse Secure. The PCS Vulnerability is given the CVE ID CVE-2021-22908.
“PCS includes the ability to connect to Windows file shares (SMB). This capability is provided by a number of CGI scripts, which in turn use libraries and helper applications based on Samba 4.5.10. When specifying a long server name for some SMB operations, the smbclt application may crash due to either a stack buffer overflow or a heap buffer overflow, depending on how long of a server name is specified.” mentioned in the advisory.
Following error is generated when the vulnerability is exploited successfully
Critical ERR31093 2021-05-24 14:05:37 – ive – [127.0.0.1] Root::System()[] – Program smbclt recently failed.
Impact of the Vulnerability
It is mentioned in the advisory that by performing certain SMB operations with a specially-crafted server name, an authenticated attacker may be able to execute arbitrary code with root privileges on a vulnerable PCS server.
There is no solution as of now for this particular vulnerability but following workaround has been provided by the CERT team
- Apply an XML workaround
Pulse Secure has published an advisory that mentions a Workaround-2105.xml file that contains a mitigation to protect against this vulnerability. Importing this XML workaround will activate the protections immediately and does not require any downtime for the VPN system. This workaround will block requests that match the following URI patterns:
^/+dana/+fb/+smb
^/+dana-cached/+fb/+smb
Workaround-2105.xml will automatically deactivate the mitigations applied by Workaround-2104.xml when it is installed. As such, it is imperative that a PCS system is running 9.1R11.4 before applying the Workaround-2105.xml mitigation, which will ensure that the vulnerabilities outlined in SA44784 are not reintroduced as the result of applying this workaround.
Note that installing this workaround will block the ability to use the following feature:
- Windows File Share Browser
2. Set a Windows File Access Policy
This vulnerability relies on the ability to connect to an arbitrary SMB server name to trigger the vulnerability. A PCS system that started as version 9.1R3 or later will have a default Initial File Browsing Policy of Deny for \\* SMB connections. If you have a PCS system that started as 9.1R2 or earlier, it will retain the default Initial File Browsing Policy of Allow for \\* SMB connections, which will expose this vulnerability. In the administrative page for the PCS, see Users -> Resource Policies -> Windows File Access Policies to view your current SMB policy.
If your PCS has a policy that explicitly allows \\* or otherwise may allow users to initiate connections to arbitrary SMB server names, you should configure the PCS to Deny connections to such resources to minimize your PCS attack surface.
