Reset Search
 

 

Article

SA44712 - 2021-02: Out-of-Cycle Advisory: Pulse Secure response to BIOS Trickboot Vulnerability

« Go Back

Information

 
Product AffectedHardware Model: PSA5000, PSA7000
Problem
A vulnerability in the BIOS of Pulse Secure (PSA-Series Hardware) could allow an attacker to compromise BIOS firmware. This vulnerability can be exploited only as part of an attack chain. Before an attacker can compromise the BIOS, they must exploit the device.
  The SuperMicro's advisory can be found at the following link: https://www.supermicro.com/en/support/security/Trickbot

The table below provides details of the affected and not affected products:

As the investigation continues, we recommend subscribing to this advisory as it will be periodically updated to reflect the current status.

CVE-2021-22887: 2.3 Low CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
 
Hardware ModelStatus
PSA-300Not Applicable
PSA-3000Not Applicable
PSA-5000Vulnerable
PSA-7000Vulnerable
** MAG/ SA / Virtual appliances are not affected by this vulnerability.
Solution

The solution for this issue is to apply a patch to the impacted Pulse Secure Hardware Model.

The below table indicates which patch needs to be deployed based upon the personality of the appliance.
 

Patch ReleaseDownload
Pulse Connect Secure / Pulse Policy SecureBIOS PATCH 
Pulse One (On-Prem Appliance Only)Pending Release.
 

Frequently Asked Questions (FAQ):

Question 1: Do I need to upgrade PCS/PPS device version running on affected hardware models?
Answer: 
No, the solution for this issue is to only apply the patch fix. The provided patch will not upgrade your PCS/PPS version or any client-side component.

Question 2: Is there a different patch available for PCS or PPS Appliances?
Answer: 
No, the same patch can be implemented on either PCS or PPS Appliance.

Question 3: Do we need to upgrade our appliance to a specific version to apply the patch?
Answer: 
No, the upgrade is not required to apply the patch. 

Question 4: I am running the 9.0Rx|9.1Rx version on the PSA appliance. Does this vulnerability affect us?
Answer:
This vulnerability is only applicable to Hardware Model. If you are running vulnerable hardware mentioned in the above table, yes this is applicable.

Question 5: Will the device reboot after updating the patch?
Answer: Yes, once you apply the patch, your device it will automatically get rebooted. 

Question 6: How do I deploy the patch on Pulse Connect Secure appliances?
Answer
: Please follow the following steps to deploy the patch on the Pulse Connect Secure appliance:
  • Log in to the administrator console of the PCS appliance.
  • Navigate to Maintenance >> Upgrade/Downgrade >> Under Install Service Package
  • Click on Browse and Select the Patch (Download the patch from above Download Link)
  • Click on Install.
  • This process will take a few minutes and the appliance automatically gets rebooted.
  • You can monitor the console access for the Installation Process.
User-added image

Question 7: How do I deploy the patch on Pulse Policy Secure appliances?
Answer
: Please follow the following steps to deploy the patch on the Pulse Policy Secure appliance:
  • Log in to the administrator console of the PPS appliance.
  • Navigate to Maintenance >> Change Personality >> Under Service package to Install
  • Click on Browse and Select the Patch (Download the patch from above Download Link)
  • Click on Change Now.
  • This process will take a few minutes and the appliance automatically gets rebooted.
  • You can monitor the console access for the Installation Process.
NOTE: Selecting the Change Personality option would not change the personality of the PPS appliance.

User-added image
Question 8: We are using A/A or A/P Cluster, do we need to patch the nodes individually?
Answer: Yes, we need to patch the appliances individually in the cluster scenario (No need to break the cluster)

Question 9: How we could verify that the patch is applied successfully?
Answer:
Once you apply the patch on the appliance running PCS or PPS software version. Please follow the below steps to access BIOS Page.
  • Reboot the PSA Appliance
  • After Pulse Secure Prompt, press the DELETE key continuously on Windows & Fn + Backspace on MacOS continuously.
  • This will get the admin into BIOS
Post patch customers can verify the following version details under BIOS Page:

User-added image

Question 10: How we could exit from BIOS Setup?
Answer: 
Under the BIOS Page, Press ESC Key.
It will prompt the option to Exit Without Saving.
Select the Yes option to Quit without saving.
The device will reboot and start automatically.

User-added image

Question 11: What is the MD5 and SHA256 Hash value of the PCS/PPS Patch?
Answer: You can download the patch (ps-psa-5k-7k-bios-flash-2021v4.pkg) from the above table.
Please find the MD5 and SHA256 Hash values:
MD5: 944e84157fa90e91b78902fe708b82da
SHA256: d53d031c0b8757b43f004d3dd9ccf174a319217142548d59caf9261e108cd045

Question 12: While installing the patch, the following logs "System software upgrade failed.  Installation timed out." are generated under admin logs?
Answer: This is expected behavior as this patch is only for BIOS. An administrator could ignore this error message.

Question 13: Unable to find the "Change Personality" option under PPS Appliance?
Answer: This is a limitation with the PPS appliance. When we form the cluster in PPS devices, the Change Personality option automatically disappears. As a workaround, we need to remove the nodes from the cluster and install the patches on the individual nodes.

Question 14: How do I deploy the patch on Pulse One (On-Prem) appliances?
Answer: Pulse One (On-Prem) requires a separate package solution. Currently, the engineering team is working on this issue.

Question 15: What versions of PCS/PPS is this patch applicable to?
Answer:
This patch is applicable to all 9.1Rx versions.

Document History:
Mar 03, 2021 - Initial advisory posted.
Mar 04, 2021 - Updated FAQ Details
Mar 11, 2021 - Updated the CVE and FAQ Details
Sep 21, 2021 - Updated the BIOS Patch and FAQ details.

Exploitation

Pulse Secure PSIRT is not aware of any malicious use of this malware against Pulse Secure products.

LEGAL DISCLAIMER

  • THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.  USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HEREFROM IS AT THE USER’S OWN RISK.  PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
  • A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS.  THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.
Workaround
There are no workarounds that address this vulnerability.
Implementation
Related Links
CVSS Score2.3 Low CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Risk Assessment
Acknowledgements
Alert TypeSA - Security Advisory
Risk LevelLow
Attachment 1 
Attachment 2 
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255