Q1 : How do I know if I’m impacted?
A: At this time, we believe the impact to be limited to a few specifically targeted customers via attempts to exploit vulnerabilities outlined in two security advisories that were patched in 2019 and 2020: Security Advisories SA44101 and SA44601. To verify whether or not your Pulse Connect Secure appliance is secure, we recommend:
We also recommend updating with the latest security enhancements which will be released on March 31, which includes the security integrity checker alert system and additional, proactive security features to help prevent future attacks against the platform.
Q2: If I am impacted, what steps should I take to secure my system?
A: If a threat actor has been successful in leveraging a vulnerability addressed in Security Advisories SA44101 and SA44601 to obtain credentials, it’s possible that these credentials could be used to gain unauthorized access to your network. We highly recommend engaging a forensic provider to help you fully understand the impact to your system.
Your Pulse Secure Support Representative can assist you in capturing forensic information as desired.
After preservation, you can remediate your Pulse Secure appliance by:
Disabling the external-facing interface.
Saving the system and user config.
Performing a factory reset via the Serial Console.
For more information refer KB22964 (How to reset a PCS device to the factory default setting via the serial console)
Updating the appliance to the newest version.
Re-import the saved config.
Re-enable the external interface.
We also highly recommend resetting all passwords in the environment and reviewing the configuration to ensure no service accounts can be used to authenticate to the vulnerability. As a reminder, Pulse Connect Secure supports several different Multi-Factor Authentication mechanisms to further secure accounts against unauthorized access.
Q3: If we (customer) are using MFA, do we need to change passwords?
A: Yes, password changes are necessary, as recommended above.
Q4: If impacted, what is the attacker able to gain access to? Should we assume that our system is under attack now?
A: We are aware of only a limited number of impacted customers. If you are impacted we highly recommend that you engage a forensic provider to investigate the potential harm to your network.
Q5: What is Ivanti doing to protect against future attacks of this kind?
A: Ivanti continues to partner and work closely with customers, law enforcement, and security firms to help ensure the security of its customers. The information sharing has helped us to develop the Ivanti Integrity Checker Tool and other security enhancements to help make the system more resilient to the on-going attempts by advanced threat actors to attack organizations.
Customer Contact Information
We encourage you to reach out to the Pulse Secure Support center which is available 24/7: +1-844-751-7629 or engage your support representative https://support.pulsesecure.net/support/support-contacts/.