The Ivanti Product Security Incident Response Team (PSIRT) has introduced a new tool to enhance your ability to ensure the full integrity of your Pulse Connect Secure software.  This article is an introduction and quick start guide to our newly developed Pulse Connect Secure Integrity Tool.  

This document applies only to Pulse Connect Secure (PCS) Software and to no other Pulse Secure Products / Software.

 

In the past, intruders were primarily targeting infrastructure devices. While intruders can perform several types of attacks on network devices, malicious actors are now looking for ways to subvert the normal behavior of infrastructure devices.

In general, these intruders can gain access, typically by exploiting vulnerabilities on the system or possibly manipulate an authorized user via a number of social engineering attacks.

Please refer Security Advisory Section for all vulnerabilities and disclosures.

Refer to KB43892 - What releases will Pulse Secure apply fixes to resolve security vulnerabilities? per our End of Engineering (EOE) and End of Life (EOL) policies.

 

The integrity tool can allow an administrator to verify the PCS Image installed on Virtual or Hardware Appliances This tool checks the integrity of the complete file system and finds any additional/modified file(s).

Note: The Integrity Tool can be used only to check the integrity of the running version of Pulse Connect Secure.
 

Integrity Tool	Download	Hashes
Pulse Connect Secure Integrity Tool	Download (Download Center at https://my.pulsesecure.net)	MD5 : dac0ac8c64efcb0b8e18374222434035 SHA2 : 39e964a4d9548f482ef6997c4e960e8a88f31c085785928c9820cf17175ef411

The Integrity Tool is currently supported on the following PCS versions:

Pulse Connect Secure Version / Build Number	Note (If Any)
Ivanti Connect Secure 22.2R1.0 (Build 657)
Pulse Connect Secure 9.1R16 (Build 20059)
Ivanti Connect Secure 22.1R6.0 (Build 575)
Pulse Connect Secure 9.1R15 (Build 18393)
Ivanti Connect Secure 22.1R1 (Build 421)
Pulse Connect Secure 9.1R13.2 (Build 18121)
Pulse Connect Secure 9.1R14.1 (Build 18105)
Ivanti Connect Secure 21.12R1 (Build 145)
Pulse Connect Secure 9.1R14 (Build 16847)
Pulse Connect Secure 9.1R13.1 (Build 16253)
Ivanti Connect Secure 21.9R1 (Build 421)
Pulse Connect Secure-9.1R13 (Build 15339)
Pulse Connect Secure-9.1R12.1 (Build 15299)
Pulse Connect Secure-9.1R12 (Build 14139)
Pulse Connect Secure-9.1R11.5 (Build 13127)
Pulse Connect Secure-9.1R11.4 (Build 12319)
Pulse Connect Secure-9.1R11.3 (Build 12173)
Pulse Connect Secure 9.1R11.1 (Build 11915)
Pulse Connect Secure 9.1R11 (Build 11161)
Pulse Connect Secure-9.1R10.2 (Build 12179)
Pulse Connect Secure 9.1R10 (Build 10119)
Pulse Connect Secure-9.1R9.2 (Build 12181)
Pulse Connect Secure-9.1R9.1 (Build 9701)
Pulse Connect Secure 9.1R9 (Build 9189)
Pulse Connect Secure 9.1R8.4 (Build 12177)
Pulse Connect Secure-9.1R8.2 (Build 8511)
Pulse Connect Secure-9.1R8.1 (Build 7851)
Pulse Connect Secure-9.1R8 (Build 7453)
Pulse Connect Secure-9.1R7 (Build 6567)
Pulse Connect Secure 9.1R6 (build 5801)
Pulse Connect Secure 9.1R5 (build 5459)
Pulse Connect Secure 9.1R4.3 (build 5185)
Pulse Connect Secure 9.1R4.2 (build 5035)
Pulse Connect Secure 9.1R4.1 (build 4967)
Pulse Connect Secure 9.1R4 (build 4763)
Pulse Connect Secure 9.1R3 (build 3535)
Pulse Connect Secure 9.1R2 (build 2331)
Pulse Connect Secure 9.1R1 (Build 1505)
Pulse Connect Secure-8.3R7.1 (Build 65025)

Integrity Checker Tool Historical Version Matrix

We will continue to provide Stand-Alone ICT packages to facilitate independent scans.

1) Can I still use the current release of the ICT?
              Yes, the current release of the ICT has proven to be highly effective in discovering malicious activity on the gateway.

2) Has the ICT been circumvented by anyone?
              To date, we have not had any reports of a threat actor circumventing the ICT, nor have any of our security partners. However, since it is theoretically possible on a fully compromised system to circumvent the ICT with sufficient time and effort, we are building improved integrity checking capabilities into upcoming releases.

Frequently Asked Questions (FAQ):

Question 1: How do I run the Integrity Tool on Pulse Connect Secure appliances?
Answer: Please follow the following steps to deploy the patch on the Pulse Connect Secure appliance:

• Log in to the administrator console of the PCS appliance.
• Navigate to Maintenance >> Upgrade/Downgrade >> Under Install Service Package
• Click on Browse and Select the Integrity Tool. (Download the Tool from above Download Link)
• Click on Install.
• This process will take a few minutes and the appliance automatically gets rebooted.
• You can monitor the console access for the process.

Question 2: Will the device reboot after running the Integrity Tool?
Answer: Yes, once you run the Integrity Tool, your device it will automatically get rebooted. 

Question 3: After running the Integrity Tool, how we can verify the results?
Answer: Once you run the Integrity Tool, the following upgrade page appears post running the tool.

• The tool will show messages on the upgrade screen whether there is any mismatch of hashes.
• The administrator can check Step 8 or Step 9 for any hash mismatched or newly detected file.
• Any detected files or mismatched files will be zipped and encrypted.
• The Admin Generated Snapshot can be downloaded from the System Snapshot.

  
 

Note: In PSA300 Appliance, the Integrity tool may pick multiple newly detected files.  The engineering team is already aware of this issue and working on a fix. This is a false-positive scenario and only applicable to PSA300 Appliance.

Question 4: Admin Generated Snapshot generated post-reboot,  however, my appliance was showing 0 Mismatched files or Newly Detected files.
Answer: Yes, this is expected behavior. Post reboot, PCS generates the Admin Generated Snapshot.

Question 5: We are using A/A or A/P Cluster, do we need to run Integrity Tool individually on each node?
Answer: Yes, we need to run the Integrity Tool individually on each node in the cluster scenario.

Question 6: We are using A/A or A/P Cluster, do we break the cluster to run this tool?
Answer: No, there is no need to break the cluster to run the Integrity Tool on the appliance.

Question 7: Do this tool repair any file during the reboot?
Answer: No, this tool does not repair any file during the reboot of the appliance.

Question 8: While running the Integrity Tool, the following logs "System software upgrade failed.  Installation timed out." are generated under admin logs?
Answer: This is expected behavior as this tool is only to verify the integrity of the appliance. An administrator could ignore this error message.

Question 9: What is the MD5 and SHA Hash value of the PCS Integrity Tool?
Answer: You can download the Integrity Tool from the Download Center at https://my.pulsesecure.net.
Please find the MD5 and SHA2 Hash values:
MD5 : dac0ac8c64efcb0b8e18374222434035
SHA2 : 39e964a4d9548f482ef6997c4e960e8a88f31c085785928c9820cf17175ef411

Question 10: While running the Integrity Tool, the tool failed on the 3rd step "Step 3: Integrity checker is not supported for this PCS version. ... complete (0 seconds)"?
Answer: This is expected behavior as this tool is only to verify above mentioned Production PCS version / Build Numbers.

Question 11: Can this tool be available for further releases?
Answer: Engineering Team is working on this tool for further improvements and planning to build an incremental tool for each release.

Question 12: Do any of the client components upgraded with this Integrity Tool?
Answer: No, this tool does not upgrade the PCS version or any client component on the PCS appliance.

Question 13: While running the Integrity Tool, we are seeing mismatched files or newly detected files.
Answer: Please download the Admin Generated Snapshot post-reboot and created a Support Ticket for further investigation. 
For more information visit KB44764 (Customer FAQ).

Question 14: How can I download the Admin Generated Snapshot from the PCS appliance.
Answer: To download the Admin Generated Snapshot, please follow the below steps:

1. Navigate to TroubleShooting > System Snapshots
2. Click on Admin generated snapshot link to save the file as pulsesecure-state-admin-scanner-<date>-<time>

Question 15: When will the Integrity Checker Tool be built into the product?
Answer: This tool is integrated into 9.1R12 and above.

Question 16: Do users using PCS9.1R12 or higher also need to run ICT manually on a regularly?
Answer: There is no need to run both regularly. The Standalone ICT can be run as an additional check whenever required,

Question 17: Is there any difference between the Integrity Checker feature that automatically checks and the package-integrity-checker-14165.1 that is run manually?
Answer: There is no functional difference between the Built-in Integrity checker feature and standalone ICT.

WHAT CAN AN ADMIN DO FOR ADDITIONAL INDICATORS:

Enabling the Unauthenticated Request option

By default, these requests are not logged under the VPN appliance until we have the Unauthenticated Request option enabled (Under Log/Monitoring > User Access > Setting) which is off by default.

If this option is enabled, then the administrator can check the logs in the User Access logs. 

Checking External Syslog Logs
Pulse Connect Secure can be configured to send Syslog information to an external Syslog server. Administrators should check the logs for unusual authentication attempts on the PCS appliance. Refer: KB22227

Device Management

Lockdown administrative access to internal or management interfaces only.  Disable admin access from the external port, which is the default setting. 

Please refer following KB for more details: KB29805 - Pulse Connect Secure: Security configuration best practices 

Document History:
March 31, 2021   - Initial public release.
April 15, 2021      -  New version of the ICT (Integrity Checker Tool) available for dot releases and older releases.
April 18, 2021      -  New version of the ICT (Integrity Checker Tool) available for older releases.
June 11, 2021      -  New version of the ICT (package-integrity-checker-13145.1) available for download.
October 7, 2021   -  New version of the ICT available for download.
October 13, 2021 -  New Version of the ICT available for download.
Dec 6, 2021          -  New Version of the ICT available for download.
January 19, 2022  - New Version of the ICT available for download.
August 19, 2022   -  New Version of the ICT available for download.

KB44764 - Customer FAQ: PCS Security Integrity Tool Enhancements

KB29805 - Pulse Connect Secure: Security configuration best practices