A vulnerability in the BIOS of Pulse Secure (PSA-Series Hardware) could allow an attacker to compromise BIOS firmware. This vulnerability can be exploited only as part of an attack chain. Before an attacker can compromise the BIOS, they must exploit the device.
 

• Refer to KB43892 - What releases will Pulse Secure apply fixes to resolve security vulnerabilities? per our End of Engineering (EOE) and End of Life (EOL) policies.

The SuperMicro's advisory can be found at the following link: https://www.supermicro.com/en/support/security/Trickbot

The table below provides details of the affected and not affected products:

As the investigation continues, we recommend subscribing to this advisory as it will be periodically updated to reflect the current status.

CVE-2021-22887: 2.3 Low CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
 

Hardware Model	Status
PSA-300	Not Applicable
PSA-3000	Not Applicable
PSA-5000	Vulnerable
PSA-7000	Vulnerable

** MAG/ SA / Virtual appliances are not affected by this vulnerability.

The solution for this issue is to apply a patch to the impacted Pulse Secure Hardware Model.

The below table indicates which patch needs to be deployed based upon the personality of the appliance.
 

Patch Release	Download
Pulse Connect Secure / Pulse Policy Secure	BIOS PATCH
Pulse One (On-Prem Appliance Only)	BIOS PATCH

 

Frequently Asked Questions (FAQ):

Question 1: Do I need to upgrade PCS/PPS/Pulse One device version running on affected hardware models?
Answer: No, the solution for this issue is to only apply the patch fix. The provided patch will not upgrade your PCS/PPS/Pulse One version or any client-side component.

Question 2: Is there a different patch available for PCS or PPS Appliances?
Answer: No, the same patch can be implemented on either PCS or PPS Appliance. However, there is a separate patch for Pulse One appliance. 

Question 3: Do we need to upgrade our appliance to a specific version to apply the patch?
Answer: No, the upgrade is not required to apply the patch. 

Question 4: I am running the 9.0Rx|9.1Rx version on the PSA appliance. Does this vulnerability affect us?
Answer: This vulnerability is only applicable to Hardware Model. If you are running vulnerable hardware mentioned in the above table, yes this is applicable.

Question 5: Will the device reboot after updating the patch?
Answer: Yes, once you apply the patch, your device it will automatically get rebooted. 

Question 6: How do I deploy the patch on Pulse Connect Secure appliances?
Answer: Please follow the following steps to deploy the patch on the Pulse Connect Secure appliance:

• Log in to the administrator console of the PCS appliance.
• Navigate to Maintenance >> Upgrade/Downgrade >> Under Install Service Package
• Click on Browse and Select the Patch (Download the patch from above Download Link)
• Click on Install.
• This process will take a few minutes and the appliance automatically gets rebooted.
• You can monitor the console access for the Installation Process.

Question 7: How do I deploy the patch on Pulse Policy Secure appliances?
Answer: Please follow the following steps to deploy the patch on the Pulse Policy Secure appliance:

• Log in to the administrator console of the PPS appliance.
• Navigate to Maintenance >> Change Personality >> Under Service package to Install
• Click on Browse and Select the Patch (Download the patch from above Download Link)
• Click on Change Now.
• This process will take a few minutes and the appliance automatically gets rebooted.
• You can monitor the console access for the Installation Process.

NOTE: Selecting the Change Personality option would not change the personality of the PPS appliance.



Question 8: How do I deploy the patch on Pulse One appliances?
Answer: Please follow the following steps to deploy the patch on the Pulse One appliance:

• Download BIOS Patch (pulse-one-bios-updater-3.0d-r1.apk) from the above table.
• Place it on a web server so that it can be accessed inside the appliance.
• Now login into PSA appliance.
• In the Pulse One cli, type system debug. It will ask for the confirmation and press y.
• It'll ask for the Access Code.
• To get the Access Code, Copy the text displayed in-between -----COPY TEXT BELOW THIS LINE----- and -----COPY TEXT ABOVE THIS LINE-----
• And open a Support Case to help us generate a Support Case.
• As the "Access Code" expires in 10 minutes, please have the Support Engineer to schedule a meeting for this activity. 
• Now paste the received access code into Pulse One console and enter. You'll see a linux console.
• Now download the file from your web server using wget or curl (which you've setup in step 2)
• Before installing the file, verify the BIOS version and release date by using the following commands.

cat /sys/class/dmi/id/bios_version 
 cat /sys/class/dmi/id/bios_date

Output should be 3.0 and 07/01/2015 respectively

• Now type apk add ./pulse-one-bios-updater-3.0d-r1.apk (It will start installing the BIOS files)
• After installation is complete, you'll be prompted to reboot. Press any key to reboot the appliance

Note: In case of VM, installation will fail which is expected as BIOS update is not required.

• After reboot, the appliance will start updating the BIOS which might take few minutes.
• You'll see a similar screen as below.

• Once BIOS is updated, appliance will be booted and show up the Pulse One cli
• Now follow the steps 3, 4, 5 and 6 to get into linux console
• Verify that BIOS is updated or not by using the following commands.

cat /sys/class/dmi/id/bios_version 
cat /sys/class/dmi/id/bios_date

Output should be 3.0d and 02/02/2021 respectively.

• Once BIOS is updated, we need to clean up the installed files by using the following commands.

apk del pulse-one-bios-updater
rm -f ./pulse-one-bios-updater-3.0d-r1.apk

• Type "exit" to come out of linux console

Question 9: We are using A/A or A/P Cluster, do we need to patch the nodes individually?
Answer: Yes, we need to patch the appliances individually in the cluster scenario (No need to break the cluster)

Question 10: How we could verify that the patch is applied successfully?
Answer: Once you apply the patch on the appliance running PCS or PPS software version. Please follow the below steps to access BIOS Page.

• Reboot the PSA Appliance
• After Pulse Secure Prompt, press the DELETE key continuously on Windows & Fn + Backspace on MacOS continuously.
• This will get the admin into BIOS

Post patch customers can verify the following version details under BIOS Page:



Question 11: How we could exit from BIOS Setup (PCS/PPS)?
Answer: Under the BIOS Page, Press ESC Key.
It will prompt the option to Exit Without Saving.
Select the Yes option to Quit without saving.
The device will reboot and start automatically.



Question 12: What is the MD5 and SHA256 Hash value of the PCS/PPS Patch?
Answer: You can download the patch (ps-psa-5k-7k-bios-flash-2021v4.pkg) from the above table.
Please find the MD5 and SHA256 Hash values:
MD5: 944e84157fa90e91b78902fe708b82da
SHA256: d53d031c0b8757b43f004d3dd9ccf174a319217142548d59caf9261e108cd045

Question 13: What is the MD5 and SHA256 Hash value of the PCS/PPS Patch?
Answer: You can download the patch (ps-psa-5k-7k-bios-flash-2021v4.pkg) from the above table.
Please find the MD5 and SHA256 Hash values:
MD5: f481f243b24de6ccb7f4082f06aab985
SHA256: 1cf2a97a10d4211b25cd5592426158a6af22263b00e219c76338c76184033173

Question 14: While installing the patch, the following logs "System software upgrade failed.  Installation timed out." are generated under admin logs?
Answer: This is expected behavior as this patch is only for BIOS. An administrator could ignore this error message.

Question 15: Unable to find the "Change Personality" option under PPS Appliance?
Answer: This is a limitation with the PPS appliance. When we form the cluster in PPS devices, the Change Personality option automatically disappears. As a workaround, we need to remove the nodes from the cluster and install the patches on the individual nodes.

Question 16: What versions of PCS/PPS is this patch applicable to?
Answer: This patch is applicable to all 9.1Rx versions.

Question 17: What versions of Pulse One is this patch applicable to?
Answer: This patch is applicable to all versions.

Document History:
Mar 03, 2021 - Initial advisory posted.
Mar 04, 2021 - Updated FAQ Details
Mar 11, 2021 - Updated the CVE and FAQ Details
Sep 21, 2021 - Updated the BIOS Patch and FAQ details.
Feb 01, 2022 - Updated the BIOS Patch for Pulse One along with FAQ details. 

Exploitation

Pulse Secure PSIRT is not aware of any malicious use of this malware against Pulse Secure products.

LEGAL DISCLAIMER

• THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.  USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HEREFROM IS AT THE USER’S OWN RISK.  PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
• A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS.  THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.