Flawed password reset system opened the door to full account takeover
Users of the Pega Infinity enterprise software platform are being advised to update their installations after a vulnerability was discovered by security researchers.
According to the research team – Sam Curry, Justin Rhinehart, Brett Buerhaus, and Maik Robert – CVE-2021-27651 is a critical-risk vulnerability in versions 8.2.1 to 8.5.2 of Pega’s Infinity software.
The proof of concept demonstrates how an attacker could bypass Pega Infinity’s password reset system.
Assailants could then use the reset account to “fully compromise” the Pega instance, through administrator-only remote code execution. This could include modifying dynamic pages, or templating.
The researchers worked with developer Pegasystems to develop a hot fix for the software.
The vendor recommends that customers running the software on-premises should check if their version is affected and apply the relevant hot fix.
Enterprise software pwnage
Pega Infinity is a popular enterprise software suite, with over 2,000 users. The package includes customer service and sales automation, an AI-driven ‘customer decision hub’, workforce intelligence, and a ‘no-code’ development platform.
The security researchers came across the Pega Infinity vulnerability through participation in Apple’s bug bounty program.
