Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Pega Infinity hotfix released after researchers flag critical authentication bypass vulnerability

Users of the Pega Infinity enterprise software platform are being advised to update their installations after a vulnerability was discovered by security researchers.

According to the research team – Sam Curry, Justin Rhinehart, Brett Buerhaus, and Maik Robert – CVE-2021-27651 is a critical-risk vulnerability in versions 8.2.1 to 8.5.2 of Pega’s Infinity software.

The proof of concept demonstrates how an attacker could bypass Pega Infinity’s password reset system.

Assailants could then use the reset account to “fully compromise” the Pega instance, through administrator-only remote code execution. This could include modifying dynamic pages, or templating.

The researchers worked with developer Pegasystems to develop a hot fix for the software.

The vendor recommends that customers running the software on-premises should check if their version is affected and apply the relevant hot fix.

Enterprise software pwnage

Pega Infinity is a popular enterprise software suite, with over 2,000 users. The package includes customer service and sales automation, an AI-driven ‘customer decision hub’, workforce intelligence, and a ‘no-code’ development platform.

The security researchers came across the Pega Infinity vulnerability through participation in Apple’s bug bounty program.

“We’d been hacking on Apple’s bug bounty program for about six months and had spent a lot of time on software produced by Apple themselves,” UK-based hacker Sam Curry told The Daily Swig.

“We had decided to switch routes and target vendors [supplying technology to Apple] instead after reading a blog post from two awesome researchers.”

Curry has previously documented his experiences with Apple’s bug bounty program.

Behind the bug

The researchers used Burp Suite to discover the password reset weakness in Pega Infinity.

This allows a full compromise of any Pega instance with “no prerequisite knowledge”, according to Curry.

In addition, Justin Rhinehart developed a Nuclei template to determine whether software is running Pega Infinity.

“These systems are largely public facing and aren’t necessarily designed to be run internally, so at the time of reporting there was a large number of affected customers running Pega Infinity externally,” Curry explained.

Advertisement. Scroll to continue reading.

“Pega’s customers are from every sector and at the time of reporting some of the customers included the FBI, US Air Force, Apple, American Express, and a few other huge names.”

Curry says that Pega was quick to work with the researchers to patch the vulnerability, even though they needed time for customers running Infinity on-premises to update their installations. This process, Curry said, took over three months.

The Daily Swig has invited Pegasystems to comment on the findings.

Source: https://portswigger.net/daily-swig/pega-infinity-hotfix-released-after-researchers-flag-critical-authentication-bypass-vulnerability

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO