Users of the Pega Infinity enterprise software platform are being advised to update their installations after a vulnerability was discovered by security researchers.
According to the research team – Sam Curry, Justin Rhinehart, Brett Buerhaus, and Maik Robert – CVE-2021-27651 is a critical-risk vulnerability in versions 8.2.1 to 8.5.2 of Pega’s Infinity software.
The proof of concept demonstrates how an attacker could bypass Pega Infinity’s password reset system.
Assailants could then use the reset account to “fully compromise” the Pega instance, through administrator-only remote code execution. This could include modifying dynamic pages, or templating.
The researchers worked with developer Pegasystems to develop a hot fix for the software.
The vendor recommends that customers running the software on-premises should check if their version is affected and apply the relevant hot fix.
Enterprise software pwnage
Pega Infinity is a popular enterprise software suite, with over 2,000 users. The package includes customer service and sales automation, an AI-driven ‘customer decision hub’, workforce intelligence, and a ‘no-code’ development platform.
The security researchers came across the Pega Infinity vulnerability through participation in Apple’s bug bounty program.
“We’d been hacking on Apple’s bug bounty program for about six months and had spent a lot of time on software produced by Apple themselves,” UK-based hacker Sam Curry told The Daily Swig.
“We had decided to switch routes and target vendors [supplying technology to Apple] instead after reading a blog post from two awesome researchers.”
Curry has previously documented his experiences with Apple’s bug bounty program.
Behind the bug
The researchers used Burp Suite to discover the password reset weakness in Pega Infinity.
This allows a full compromise of any Pega instance with “no prerequisite knowledge”, according to Curry.
In addition, Justin Rhinehart developed a Nuclei template to determine whether software is running Pega Infinity.
“These systems are largely public facing and aren’t necessarily designed to be run internally, so at the time of reporting there was a large number of affected customers running Pega Infinity externally,” Curry explained.
“Pega’s customers are from every sector and at the time of reporting some of the customers included the FBI, US Air Force, Apple, American Express, and a few other huge names.”
Curry says that Pega was quick to work with the researchers to patch the vulnerability, even though they needed time for customers running Infinity on-premises to update their installations. This process, Curry said, took over three months.
The Daily Swig has invited Pegasystems to comment on the findings.