Flawed password reset system opened the door to full account takeover

Pega Infinity hotfix released after researchers flag critical authentication bypass vulnerability

UPDATED Users of the Pega Infinity enterprise software platform are being advised to update their installations after a vulnerability was discovered by security researchers.

According to the research team – Sam Curry, Justin Rhinehart, Brett Buerhaus, and Maik Robert – CVE-2021-27651 is a critical-risk vulnerability in versions 8.2.1 to 8.5.2 of Pega’s Infinity software.

The proof of concept demonstrates how an attacker could bypass Pega Infinity’s password reset system.

Assailants could then use the reset account to “fully compromise” the Pega instance, through administrator-only remote code execution. This could include modifying dynamic pages, or templating.

The researchers worked with developer Pegasystems to develop a hot fix for the software.

The vendor recommends that customers running the software on-premises should check if their version is affected and apply the relevant hot fix.

Enterprise software pwnage

Pega Infinity is a popular enterprise software suite, with over 2,000 users. The package includes customer service and sales automation, an AI-driven ‘customer decision hub’, workforce intelligence, and a ‘no-code’ development platform.

The security researchers came across the Pega Infinity vulnerability through participation in Apple’s bug bounty program.

RECOMMENDED Remote Mouse mobile app contains raft of zero-day RCE vulnerabilities

“We’d been hacking on Apple's bug bounty program for about six months and had spent a lot of time on software produced by Apple themselves,” UK-based hacker Sam Curry told The Daily Swig.

“We had decided to switch routes and target vendors [supplying technology to Apple] instead after reading a blog post from two awesome researchers.”

Curry has previously documented his experiences with Apple’s bug bounty program.

Behind the bug

The researchers used Burp Suite to discover the password reset weakness in Pega Infinity.

This allows a full compromise of any Pega instance with “no prerequisite knowledge”, according to Curry.

In addition, Justin Rhinehart developed a Nuclei template to determine whether software is running Pega Infinity.

Read more of the latest security research news

“These systems are largely public facing and aren’t necessarily designed to be run internally, so at the time of reporting there was a large number of affected customers running Pega Infinity externally,” Curry explained.

“Pega's customers are from every sector and at the time of reporting some of the customers included the FBI, US Air Force, Apple, American Express, and a few other huge names.”

Curry says that Pega was quick to work with the researchers to patch the vulnerability, even though they needed time for customers running Infinity on-premises to update their installations. This process, Curry said, took over three months.

Responding to questions from The Daily Swig, Pegasystems said: “We have worked with the researchers under our responsible disclosure process to develop a fix, advise clients to apply it, and issue CVE (2021-27651) on April 29, 2021.”

The vendor added: “We would like to also note that no clients have reported any issues related to this vulnerability. Pega makes security a top priority, and we have acted quickly to remedy this issue.

“Pega believes independent security researchers play a valuable role in internet security, and we encourage responsible reporting of any vulnerabilities that may be found on our site or in our applications.”

This article has been updated to include comment from Pegasystems.

DON’T FORGET TO READ What the FLoC? Everything you need to know about Google’s new ad tech that aims to replace third-party cookies