Expired certificate caused a Pulse Secure VPN global scale outage

Pulse Secure VPN users were not able to login due to the expiration of a code signing certificate used to digitally sign and verify software components.

Pulse Secure VPN users were not able to login after a code signing certificate used to digitally sign and verify software components has expired.

Multiple users have reported on Pulse Secure VPN community their difficulties to log in their devices.

Pulse Secure VPN

This issue caused several problems to the users, most of them are working from home due to the pandemic and were not able to connect to company resources. Upon attempting to login from their browsers, users have displayed the message “An unexpected error has occurred,”, “Detected an internal error. Please retry. If the issue persists, contact your administrator.”

According to an advisory published by Pulse Secure, multiple functionalities/features fail for End-Users with a Certificate error.

The outage stems from a bug related to the improper verification of the signature for Pulse Secure components. The check of the signature was performed on the certificate’s expiration date rather than the timestamp on a digitally signed file.

Experts noticed that the code-signing certificate used to sign the file has expired on April 12, which means that signature analyzed was considered not valid and caused the massive outage.

“Multiple functionalities/features fail for End-Users with a Certificate error.
This issue started on the 12th of April, 2021 after 12:00 am UTC time as the validity of the code signing certificate expired.” reads the security advisory published by Pulse. “The Code sign verification on the Client-Side components fails because the Certificate expiry time is checked as opposed to the timestamp of the Code signing.”

This issue impacted users of Pulse Connect Secure (PCC) and Pulse Policy Secure (PPS), below the list of affected products:

  1. This impacts PCS/PPS.
  2. This impacts the following releases,
  • 9.1R11.x
  • 9.1R10.x
  • 9.1R9.x
  • 9.1R8.x

       3. This impacts only Windows End-Points.
       4. The following features are impacted:

  • Terminal Services.
  • JSAM
  • HOB
  • CTS
  • VDI
  • Secure Meeting (Pulse Collaboration).
  • Host Checker.
  • Launching of PDC via browser.
  • SAML with External Browser with HC enabled.

The problem does not impact:

  • Users who access Pulse Desktop Client directly (Not Via a Browser).
  • macOS, Linux Users.
  • Release prior to 9.1R8.x

The company suggests users to Use Pulse Desktop Client, instead of launching it through the browser, as workaroud.

The following table reports the release timelines for the fixes,

Product Release ETA
PCS 9.1R11.x 12th April, 2021 (midnight PST)
PCS 9.1R8.x 13th April, 2021 (End of Day PST)
PCS 9.1R9.x 13th April, 2021 (End of Day PST)
PCS 9.1R10.x 14th April, 2021 (End of Day PST)

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, VPN)

The post Expired certificate caused a Pulse Secure VPN global scale outage appeared first on Security Affairs.

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source