Trickboot vulnerability in Pulse Secure appliances



Published: 2021-03-04
Risk High
Patch available YES
Number of vulnerabilities 1
CVE ID N/A
CWE ID CWE-264
Exploitation vector Local
Public exploit This vulnerability is being exploited in the wild.
Vulnerable software
Subscribe
PSA-7000
Hardware solutions / Routers & switches, VoIP, GSM, etc

PSA-5000
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor Pulse Secure

Security Advisory

This security advisory describes one high risk vulnerability.

1) Security restrictions bypass

Risk: High

CVSSv3.1: 7.5 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in BIOS firmware for X10 UP-series (H3 Single Socket “Denlow”) motherboard. A local user can plant malware into motherboard firmware and establish permanent persistence on the system, even if OS is reinstalled.

Note, the vulnerability is being actively exploited in the wild by the TrickBoot malware.

Mitigation

The vendor has issued a BIOS patch for Pulse Connect Secure / Pulse Policy Secure solutions for the affected models.


Vulnerable software versions

PSA-7000: All versions

PSA-5000: All versions

CPE External links

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44712/p?pubstatus=o

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.



###SIDEBAR###