Security researchers came across a Pega Infinity vulnerability through participation in Apple’s bug bounty program, after focusing on vendors that supplied technology to Apple. By using Burp Suite—an integrated platform for performing security testing of web applications—the security researchers discovered a password reset weakness in Pega Infinity that could allow an attacker to bypass Pega Infinity's password reset system to lead to a full compromise.
Pega Infinity and Pegasystems Inc.
Pega Infinity is a popular enterprise software suite that provides customer service and sales automation, an AI-driven customer decision hub, workforce intelligence, and a ‘no-code’ development platform.
Pegasystems Inc. is an American software company based in Cambridge, Massachusetts. Founded in 1983, Pegasystems develops software for customer relationship management (CRM), digital process automation, and business process management (BPM).
As with any customer relationship management (CRM) tool, these systems are largely public facing and aren’t necessarily designed to be run internally. Pega's customers can be found in every sector and at the time of reporting, some of the customers included the FBI, US Air Force, Apple, and American Express. For example, using Pega, the FBI created a public-facing website that acts as an interface for all registered firearms dealers. When an individual attempts to purchase a firearm, an authorized user is able to securely log in and quickly submit a background check request to the FBI.
A patch is available
Pega was quick to work with the researchers to patch the vulnerability, even though they needed time for customers running Infinity on-premises to update their installations. This process, one of the researchers said, took over three months. One of the perks of running this type of software in the Cloud was that Pega could push out the patch to their cloud-based customers.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability was assigned CVE-2021-27651. With the description:
“In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.”
Proof of concept (PoC)
There are several PoCs readily available, including complete videos on YouTube, so users of the Pega Infinity enterprise software platform are being advised to update their installations. The proof of concept demonstrates how an attacker could bypass Pega Infinity’s password reset system. Assailants could then use the reset account to fully compromise the Pega instance, through administrator-only remote code execution.
Version dependent updates
Pega advises their on–premise clients to review the table posted here to determine which hotfix corresponds with their Pegasystems installation. Once they have determined the appropriate hotfix ID, they can submit a hotfix request in the Pega support portal. Pega Cloud environments running the relevant Pega versions are being proactively remediated by Pega.
Stay safe, everyone!