Reset Search
 

 

Article

KB44755 - Pulse Connect Secure (PCS) Integrity Assurance

« Go Back

Information

 
Last Modified Date3/29/2021 1:05 PM
Synopsis
The Ivanti Product Security Incident Response Team (PSIRT) has introduced a new tool to enhance your ability to ensure the full integrity of your Pulse Connect Secure software.  This article is an introduction and quick start guide to our newly developed Pulse Connect Secure Integrity Tool.  

This document applies only to Pulse Connect Secure (PCS) Software and to no other Pulse Secure Products / Software.

 
Problem or Goal
In the past, intruders were primarily targeting infrastructure devices. While intruders can perform several types of attacks on network devices, malicious actors are now looking for ways to subvert the normal behavior of infrastructure devices.

In general, these intruders can gain access, typically by exploiting vulnerabilities on the system or possibly manipulate an authorized user via a number of social engineering attacks.

Please refer Security Advisory Section for all vulnerabilities and disclosures.

Refer to KB43892 - What releases will Pulse Secure apply fixes to resolve security vulnerabilities? per our End of Engineering (EOE) and End of Life (EOL) policies.
Cause

 
Solution
The integrity tool can allow an administrator to verify the PCS Image installed on Virtual or Hardware Appliances This tool checks the integrity of the complete file system and finds any additional/modified file(s).

Note: The Integrity Tool can be used only to check the integrity of the running version of Pulse Connect Secure.
 
Integrity ToolDownload
Pulse Connect Secure Integrity Tool ( Build 11915)Link


The Integrity Tool is currently supported on the following PCS versions:

Pulse Connect Secure Version / Build NumberNote (If Any)
Pulse Connect Secure 9.1R11.1 (Build 11915) 
Pulse Connect Secure 9.1R11 (Build 11161) 
Pulse Connect Secure 9.1R10 (Build 10119) 
Pulse Connect Secure-9.1R9.1 (Build 9701) 
Pulse Connect Secure 9.1R9 (Build 9189) 
Pulse Connect Secure-9.1R8.2 (Build 8511) 
Pulse Connect Secure-9.1R8.1 (Build 7851) 
Pulse Connect Secure-9.1R8 (Build 7453) 
Pulse Connect Secure-9.1R7 (Build 6567) 
Pulse Connect Secure-8.3R7.1 (Build 65025) 

Frequently Asked Questions (FAQ):

Question 1: How do I run the Integrity Tool on Pulse Connect Secure appliances?
Answer: Please follow the following steps to deploy the patch on the Pulse Connect Secure appliance:
  • Log in to the administrator console of the PCS appliance.
  • Navigate to Maintenance >> Upgrade/Downgrade >> Under Install Service Package
  • Click on Browse and Select the Integrity Tool. (Download the Tool from above Download Link)
  • Click on Install.
  • This process will take a few minutes and the appliance automatically gets rebooted.
  • You can monitor the console access for the process.
User-added image

Question 2: Will the device reboot after running the Integrity Tool?
Answer: Yes, once you run the Integrity Tool, your device it will automatically get rebooted. 

Question 3: After running the Integrity Tool, how we can verify the results?
Answer: Once you run the Integrity Tool, the following upgrade page appears post running the tool.
  • The tool will show messages on the upgrade screen whether there is any mismatch of hashes.
  • The administrator can check Step 8 or Step 9 for any hash mismatched or newly detected file.
  • Any detected files or mismatched files will be zipped and encrypted.
  • The Admin Generated Snapshot can be downloaded from the System Snapshot.
User-added image  
 
Note: In PSA300 Appliance, the Integrity tool may pick multiple newly detected files.  The engineering team is already aware of this issue and working on a fix. This is a false-positive scenario and only applicable to PSA300 Appliance.

Question 4: Admin Generated Snapshot generated post-reboot,  however, my appliance was showing 0 Mis-matched files or  Newly Detected files?
Answer: Yes, this is expected behavior. Post reboot, PCS generates the Admin Generated Snapshot.

Question 5: We are using A/A or A/P Cluster, do we need to run Integrity Tool individually on each node?
Answer: Yes, we need to run the Integrity Tool individually on each node in the cluster scenario.

Question 6: We are using A/A or A/P Cluster, do we break the cluster to run this tool?
Answer: No, there is no need to break the cluster to run Integrity Tool on the appliance.

Question 7: Do this tool repair any file during the reboot?
Answer: No, this tool does not repair any file during the reboot of the appliance.

Question 8: While running the Integrity Tool, the following logs "System software upgrade failed.  Installation timed out." are generated under admin logs?
Answer: This is expected behavior as this tool is only to verify the integrity of the appliance. An administrator could ignore this error message.

Question 9: What is the MD5 and SHA Hash value of the PCS Integrity Tool?
Answer: You can download the Integrity Tool (package-integrity-checker-11915.pkg) from the above table.
Please find the MD5 and SHA1 Hash values:
MD5: ddb4b1a6ee37161a911c8d9f623bd8c9
SHA1: 49a913beac881b0c3a12a010a4000982c0d02226

Question 10: While running the Integrity Tool, the tool failed on the 3rd step "Step 3: Integrity checker is not supported for this PCS version. ... complete (0 seconds)"?
Answer: This is expected behavior as this tool is only to verify above mentioned Production PCS version / Build Numbers.

Question 11: Can this tool be available for further releases?
Answer: Engineering Team is working on this tool for further improvements and planning to build an incremental tool for each release.

Question 12: Do any of the client components upgraded with this Integrity Tool?
Answer: No, this tool does not upgrade the PCS version or any client component on the PCS appliance.

Question 13: While running the Integrity Tool, we are seeing mismatched files or newly detected files.
Answer: Please download the Admin Generated Snapshot post-reboot and created a Support Ticket for further investigation. 
For more information visit KB44764 (Customer FAQ).

Question 14: How can I download the Admin Generated Snapshot from the PCS appliance.
Answer: To download the Admin Generated Snapshot, please follow the below steps:
  1. Navigate to TroubleShooting > System Snapshots
  2. Click on Admin generated snapshot link to save the file as pulsesecure-state-admin-scanner-<date>-<time>

WHAT CAN AN ADMIN DO FOR ADDITIONAL INDICATORS:

Enabling Unauthenticated Request option

By default, these requests are not logged under the VPN appliance until we have the Unauthenticated Request option enabled (Under Log/Monitoring > User Access > Setting) which is off by default.

If this option is enabled, then the administrator can check the logs in the User Access logs. 

Checking External Syslog Logs
Pulse Connect Secure can be configured to send Syslog information to an external Syslog server. Administrators should check the logs for unusual authentication attempts on the PCS appliance. Refer: KB22227

Device Management

Lockdown administrative access to internal or management interfaces only.  Disable admin access from the external port, which is the default setting. 

Please refer following KB for more details: KB29805 - Pulse Connect Secure: Security configuration best practices 

Document History:
March 31, 2021 - Initial public release.
 
Related Links
Attachment 1 
Created BySahil Mahajan

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255