Related documents: SA44784; KB44755On July 21st 2021, CISA released an alert titled, “Malware Targeting Pulse Secure Devices.” This is not new information. The malware was already identified in the FireEye report that was published on April 20 regarding a highly sophisticated threat actor who leveraged both previously disclosed vulnerabilities and a previously unknown vulnerability (“zero day”) in a targeted campaign against a small number of Pulse Connect Secure (PCS) devices. Version 9.1R11.5, which was released on June 11, addresses the identified issues. If customers aren’t on version 9.1R11.5, we strongly encourage them to move to it. For customers who believe they may have been impacted, we encourage them to use the Pulse Security Integrity Checker Tool. To support those who have been affected, we are providing advanced mitigations directly to customers as outlined in our Knowledge Base. More information can be found at Security Advisory SA44784 (CVE-2021-22893). We remain committed to continually improving the PCS product and in collaboration with experts such as CERT, Mandiant, and Stroz Friedberg, we are incorporating lessons learned and best practices to harden security measures and adding new features designed to improve the customer experience. Our customers will see the beginning of this journey in the upcoming release of version 9.1R12 in early August. In version 9.1R12 we are incorporating the positive aspects of the ICT while also looking to address some experience issues directly in the product. Specifically:
FAQ1) Can I still use the current release of the ICT? Yes, the current release of the ICT has proven to be highly effective in discovering malicious activity on the gateway.2) Has the ICT been circumvented by anyone? To date, we have not had any reports of a threat actor circumventing the ICT, nor have any of our security partners. However, since it is theoretically possible on a fully compromised system to circumvent the ICT with sufficient time and effort, we are building improved integrity checking capabilities into upcoming releases.3) When will the ICT replacement be available? Current delivery date is planned for the 9.1R12 release tentatively scheduled for early August release.
- Eliminating the need for scheduled downtime to run an integrity check.
- Automating the process to update the integrity definitions to the latest version.
- Improving administrator feedback, including logging when the integrity check runs and the results.
- Addressing a few edge cases where false positives can occur.