The solution for this issue is to update the endpoint machine with a fixed version of the impacted Pulse Secure client software.
To know which updated client software to deploy, refer the below table. The below table indicates which software needs to be deployed depending on the type of client installed on your endpoint machines.
If the below client is Installed | Then deploy this version (Or later) | Release | Note (If any) |
Pulse Secure Desktop Client 9.1R5 or below | Pulse Secure Desktop Client 9.1R6 or above | Download | KB44485 PDC 9.1R6 fails to fails to install on non-English Windows 10 X64 |
Pulse Secure Installer Service 9.1R5 or below | Pulse Secure Installer Service 9.1R6 or above | EXE MSI | 9.1R7 Pulse Secure Installer Service is available for download. |
Frequently Asked Questions (FAQ):
Question 1: I have both the Pulse Secure Desktop client and the Standalone Installer Service client installed on my machine. Do I need to upgrade both products?
Answer: Yes, upgrading both Pulse Secure clients are necessary.
Question 2: I have multiple clients versions installed. Which client should I upgrade to fix all affected clients?
Answer: The recommended version is use Pulse Secure Desktop Client 9.1R6 or above and Pulse Secure Installer Server 9.1R6 or later.
Question 3: What clients are impacted by this vulnerability?
Answer: All Windows OS (Windows 10 and Windows 8 etc) end points running an affected version of Pulse Secure Desktop Client or Installer Server are susceptible to this issue.
Question 4: I do not use the affected clients anymore. Can I uninstall them to fix the vulnerability instead of upgrading?
Answer: Yes. If you do not use any of the vulnerable client components (listed above), then you may uninstall them to mitigate the risk of the vulnerability. However, you must ensure that all impacted client components are uninstalled.
Question 5: How do I deploy the patched Pulse Secure Desktop clients to my endpoints?
Answer: If you intend to deploy a patched Pulse Secure Desktop Client, upload the client bundle to your PCS or PPS gateway, configure it as the active version, and have your end users connect to the gateway. The Pulse Secure Desktop Client will auto-upgrade upon connection. Alternatively, you could distribute the Pulse Secure Desktop Client to your endpoints through an out-of-band software-distribution mechanism like SMS. For details, refer to Pulse Secure Desktop admin guide about Upgrading Pulse Secure Client.
Question 6: How do I deploy the patched Installer Service clients to my endpoints?
Answer: Currently the only option to upgrade installer Service Client is by distributing the patched Standalone Installer Service client to your endpoints through an out-of-band software-distribution mechanism like SMS or by providing the client package to your end-user by other means.
Note: The Standalone Installer service client package is available in two format (exe and msi). If you have a previous version of the Installer Service installed, then you can invoke the Installer Service ".exe" file as a restricted user. The ".exe" version of the Installer Service will communicate with the existing Installer Service and essentially bootstrap itself without requiring administrative privileges. But if you instead invoke the Installer Service ".msi" file, then you must be an administrative user. |
Question 7: I don't use the Pulse Secure Desktop client. I use Host Checker and have the standalone Installer Service client along with it. How do I fix the vulnerable Standalone Installer Service client ?
Answer: Install the patched Standalone Installer Service client bundle to the client machine, as listed in the table above.
Question 8: Do I need to upgrade PCS/PPS device as well?
Answer: No, The solution for this issue is to update the endpoint machine with a fixed version of the impacted Pulse Secure client software. PCS/PPS gateway upgrade is not required.
Exploitation:
Pulse Secure PSIRT is not aware of any malicious exploitation for this vulnerability.
Document History:
June 17, 2020 - Initial advisory posted.
June 17, 2020 - KB44485 added in the Notes.
June 17, 2020 - Updated FAQ and Detailed Affected version details added.
June 18, 2020 - Uploaded 9.1R7 Pulse Secure Installer Service MSI and EXE.
LEGAL DISCLAIMER
- THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HEREFROM IS AT THE USER’S OWN RISK. PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
- A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS. THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.