Reset Search
 

 

Article

KB44755 - Pulse Connect Secure (PCS) Integrity Assurance

« Go Back

Information

 
Last Modified Date10/13/2021 4:34 PM
Synopsis
The Ivanti Product Security Incident Response Team (PSIRT) has introduced a new tool to enhance your ability to ensure the full integrity of your Pulse Connect Secure software.  This article is an introduction and quick start guide to our newly developed Pulse Connect Secure Integrity Tool.  

This document applies only to Pulse Connect Secure (PCS) Software and to no other Pulse Secure Products / Software.

 
Problem or Goal
In the past, intruders were primarily targeting infrastructure devices. While intruders can perform several types of attacks on network devices, malicious actors are now looking for ways to subvert the normal behavior of infrastructure devices.

In general, these intruders can gain access, typically by exploiting vulnerabilities on the system or possibly manipulate an authorized user via a number of social engineering attacks.

Please refer Security Advisory Section for all vulnerabilities and disclosures.

Refer to KB43892 - What releases will Pulse Secure apply fixes to resolve security vulnerabilities? per our End of Engineering (EOE) and End of Life (EOL) policies.
Cause

 
Solution
The integrity tool can allow an administrator to verify the PCS Image installed on Virtual or Hardware Appliances This tool checks the integrity of the complete file system and finds any additional/modified file(s).

Note: The Integrity Tool can be used only to check the integrity of the running version of Pulse Connect Secure.
 
Integrity ToolDownloadHashes
Pulse Connect Secure Integrity ToolDownload (Download Center at https://my.pulsesecure.net)MD5 : f24c1e094c6ed96f3ac6c3c9bad3f2c6
SHA1 : b14d9f0af7c1e8c10ea3bf7eb5e0fc89cd6d76b4


The Integrity Tool is currently supported on the following PCS versions:

Pulse Connect Secure Version / Build NumberNote (If Any)
Pulse Connect Secure-9.1R13 (Build 15339) 
Pulse Connect Secure-9.1R12.1 (Build 15299) 
Pulse Connect Secure-9.1R12 (Build 14139) 
Pulse Connect Secure-9.1R11.5 (Build 13127) 
Pulse Connect Secure-9.1R11.4 (Build 12319) 
Pulse Connect Secure-9.1R11.3 (Build 12173) 
Pulse Connect Secure 9.1R11.1 (Build 11915) 
Pulse Connect Secure 9.1R11 (Build 11161) 
Pulse Connect Secure-9.1R10.2 (Build 12179) 
Pulse Connect Secure 9.1R10 (Build 10119) 
Pulse Connect Secure-9.1R9.2 (Build 12181) 
Pulse Connect Secure-9.1R9.1 (Build 9701) 
Pulse Connect Secure 9.1R9 (Build 9189) 
Pulse Connect Secure 9.1R8.4 (Build 12177) 
Pulse Connect Secure-9.1R8.2 (Build 8511) 
Pulse Connect Secure-9.1R8.1 (Build 7851) 
Pulse Connect Secure-9.1R8 (Build 7453) 
Pulse Connect Secure-9.1R7 (Build 6567) 
Pulse Connect Secure 9.1R6 (build 5801) 
Pulse Connect Secure 9.1R5 (build 5459) 
Pulse Connect Secure 9.1R4.3 (build 5185) 
Pulse Connect Secure 9.1R4.2 (build 5035) 
Pulse Connect Secure 9.1R4.1 (build 4967) 
Pulse Connect Secure 9.1R4 (build 4763) 
Pulse Connect Secure 9.1R3 (build 3535) 
Pulse Connect Secure 9.1R2 (build 2331) 
Pulse Connect Secure 9.1R1 (Build 1505) 
Pulse Connect Secure-8.3R7.1 (Build 65025) 


Integrity Checker Tool Historical Version Matrix

 
Release DateTitleSupported Versions
March 26th 2021package-integrity-checker-11951.18.3R7.1 (build 65025), 9.1R7 (build 6567), 9.1R8 (build 7453), 9.1R8.1 (build 7851), 9.1R8.2 (build 8511), 9.1R9 (build 9189), 9.1R9.1 (build 9701),9.1R10 (build 10119),9.1R11 (build 11161), 9.1R11.1 (build 11915)
April 15th 2021package-integrity-checker-12209.19.1R8.4 (build 12177),9.1R9.2 (build 12181),9.1R10.2 (build 12179),9.1R11.3 (build 12173)
April 18th 2021package-integrity-checker-12255.19.1R1(build 1505),9.1R2 (build 2331),9.1R3 (build 3535),9.1R4 (build 4763),9.1R4.1 (build 4967),9.1R4.2 (build 5035),9.1R4.3 (build 5185),9.1R5 (build 5459),9.1R6 (build 5801)
April 19th 2021package-integrity-checker-12289.19.1R11.3:HF1 (build 12235)
May 3rd 2021package-integrity-checker-12363.19.1R9.1HF1 (build 10625), 9.1R11.1HF1 (build 12049), 9.1R11.4 (build 12319)
June 11th 2021package-integrity-checker-13145.19.1R11.5 (build 13127)
August 2nd 2021package-integrity-checker-14165.18.3R7.1 (build 65025), 9.1R7 (build 6567), 9.1R8 (build 7453), 9.1R8.1 (build 7851), 9.1R8.2 (build 8511), 9.1R9 (build 9189), 9.1R9.1 (build 9701),9.1R10 (build 10119),9.1R11 (build 11161), 9.1R11.1 (build 11915), 9.1R11.3 (Build 12173), 9.1R11.4 (Build 12319), 9.1R11.5 (Build 13127), 9.1R12 (Build 14139)
October 5th 2021package-integrity-checker-15343.18.3R7.1 (build 65025), 9.1R7 (build 6567), 9.1R8 (build 7453), 9.1R8.1 (build 7851), 9.1R8.2 (build 8511), 9.1R9 (build 9189), 9.1R9.1 (build 9701),9.1R10 (build 10119),9.1R11 (build 11161), 9.1R11.1 (build 11915), 9.1R11.3 (Build 12173), 9.1R11.4 (Build 12319), 9.1R11.5 (Build 13127), 9.1R12 (Build 14139), 9.1R12.1 (Build 15299)
October 13th 2021package-integrity-checker-15417.18.3R7.1 (build 65025), 9.1R7 (build 6567), 9.1R8 (build 7453), 9.1R8.1 (build 7851), 9.1R8.2 (build 8511), 9.1R9 (build 9189), 9.1R9.1 (build 9701),9.1R10 (build 10119),9.1R11 (build 11161), 9.1R11.1 (build 11915), 9.1R11.3 (Build 12173), 9.1R11.4 (Build 12319), 9.1R11.5 (Build 13127), 9.1R12 (Build 14139), 9.1R12.1 (Build 15299), 9.1R13 (Build 15339)

We will continue to provide Stand-Alone ICT packages to facilitate independent scans.

1) Can I still use the current release of the ICT?
              Yes, the current release of the ICT has proven to be highly effective in discovering malicious activity on the gateway.

2) Has the ICT been circumvented by anyone?
              To date, we have not had any reports of a threat actor circumventing the ICT, nor have any of our security partners. However, since it is theoretically possible on a fully compromised system to circumvent the ICT with sufficient time and effort, we are building improved integrity checking capabilities into upcoming releases.

Frequently Asked Questions (FAQ):

Question 1: How do I run the Integrity Tool on Pulse Connect Secure appliances?
Answer: Please follow the following steps to deploy the patch on the Pulse Connect Secure appliance:
  • Log in to the administrator console of the PCS appliance.
  • Navigate to Maintenance >> Upgrade/Downgrade >> Under Install Service Package
  • Click on Browse and Select the Integrity Tool. (Download the Tool from above Download Link)
  • Click on Install.
  • This process will take a few minutes and the appliance automatically gets rebooted.
  • You can monitor the console access for the process.
User-added image

Question 2: Will the device reboot after running the Integrity Tool?
Answer: Yes, once you run the Integrity Tool, your device it will automatically get rebooted. 

Question 3: After running the Integrity Tool, how we can verify the results?
Answer: Once you run the Integrity Tool, the following upgrade page appears post running the tool.
  • The tool will show messages on the upgrade screen whether there is any mismatch of hashes.
  • The administrator can check Step 8 or Step 9 for any hash mismatched or newly detected file.
  • Any detected files or mismatched files will be zipped and encrypted.
  • The Admin Generated Snapshot can be downloaded from the System Snapshot.
User-added image  
 
Note: In PSA300 Appliance, the Integrity tool may pick multiple newly detected files.  The engineering team is already aware of this issue and working on a fix. This is a false-positive scenario and only applicable to PSA300 Appliance.

Question 4: Admin Generated Snapshot generated post-reboot,  however, my appliance was showing 0 Mis-matched files or  Newly Detected files?
Answer: Yes, this is expected behavior. Post reboot, PCS generates the Admin Generated Snapshot.

Question 5: We are using A/A or A/P Cluster, do we need to run Integrity Tool individually on each node?
Answer: Yes, we need to run the Integrity Tool individually on each node in the cluster scenario.

Question 6: We are using A/A or A/P Cluster, do we break the cluster to run this tool?
Answer: No, there is no need to break the cluster to run the Integrity Tool on the appliance.

Question 7: Do this tool repair any file during the reboot?
Answer: No, this tool does not repair any file during the reboot of the appliance.

Question 8: While running the Integrity Tool, the following logs "System software upgrade failed.  Installation timed out." are generated under admin logs?
Answer: This is expected behavior as this tool is only to verify the integrity of the appliance. An administrator could ignore this error message.

Question 9: What is the MD5 and SHA Hash value of the PCS Integrity Tool?
Answer: You can download the Integrity Tool from the Download Center at https://my.pulsesecure.net.
Please find the MD5 and SHA1 Hash values:
MD5 : f24c1e094c6ed96f3ac6c3c9bad3f2c6
SHA1 : b14d9f0af7c1e8c10ea3bf7eb5e0fc89cd6d76b4

Question 10: While running the Integrity Tool, the tool failed on the 3rd step "Step 3: Integrity checker is not supported for this PCS version. ... complete (0 seconds)"?
Answer: This is expected behavior as this tool is only to verify above mentioned Production PCS version / Build Numbers.

Question 11: Can this tool be available for further releases?
Answer: Engineering Team is working on this tool for further improvements and planning to build an incremental tool for each release.

Question 12: Do any of the client components upgraded with this Integrity Tool?
Answer: No, this tool does not upgrade the PCS version or any client component on the PCS appliance.

Question 13: While running the Integrity Tool, we are seeing mismatched files or newly detected files.
Answer: Please download the Admin Generated Snapshot post-reboot and created a Support Ticket for further investigation. 
For more information visit KB44764 (Customer FAQ).

Question 14: How can I download the Admin Generated Snapshot from the PCS appliance.
Answer: To download the Admin Generated Snapshot, please follow the below steps:
  1. Navigate to TroubleShooting > System Snapshots
  2. Click on Admin generated snapshot link to save the file as pulsesecure-state-admin-scanner-<date>-<time>
Question 15: When will the Integrity Checker Tool be built into the product?
Answer: This tool is integrated into 9.1R12 and above.

Question 16: Do users using PCS9.1R12 or higher also need to run ICT manually on a regularly?
Answer: There is no need to run both regularly. The Standalone ICT can be run as an additional check whenever required,

Question 17: Is there any difference between the Integrity Checker feature that automatically checks and the package-integrity-checker-14165.1 that is run manually?
Answer: There is no functional difference between the Built-in Integrity checker feature and standalone ICT.

WHAT CAN AN ADMIN DO FOR ADDITIONAL INDICATORS:

Enabling Unauthenticated Request option

By default, these requests are not logged under the VPN appliance until we have the Unauthenticated Request option enabled (Under Log/Monitoring > User Access > Setting) which is off by default.

If this option is enabled, then the administrator can check the logs in the User Access logs. 

Checking External Syslog Logs
Pulse Connect Secure can be configured to send Syslog information to an external Syslog server. Administrators should check the logs for unusual authentication attempts on the PCS appliance. Refer: KB22227

Device Management

Lockdown administrative access to internal or management interfaces only.  Disable admin access from the external port, which is the default setting. 

Please refer following KB for more details: KB29805 - Pulse Connect Secure: Security configuration best practices 

Document History:
March 31, 2021  - Initial public release.
April 15, 2021     - New version of the ICT (Integrity Checker Tool) available for dot releases and older releases.
April 18, 2021     - New version of the ICT (Integrity Checker Tool) available for older releases.
June 11, 2021     - New version of the ICT (package-integrity-checker-13145.1) available for download.
October 7, 2021  - New versions of the ICT available for download.
October 13, 2021- New Versions of the ICT available for download.
 
Related Links
Attachment 1 
Created BySahil Mahajan

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255