Expired certificate caused a Pulse Secure VPN global scale outage

Pulse Secure VPN users were not able to login due to the expiration of a code signing certificate used to digitally sign and verify software components.

Pulse Secure VPN users were not able to login after a code signing certificate used to digitally sign and verify software components has expired.

Multiple users have reported on Pulse Secure VPN community their difficulties to log in their devices.

This issue caused several problems to the users, most of them are working from home due to the pandemic and were not able to connect to company resources. Upon attempting to login from their browsers, users have displayed the message “An unexpected error has occurred,”, “Detected an internal error. Please retry. If the issue persists, contact your administrator.”

According to an advisory published by Pulse Secure, multiple functionalities/features fail for End-Users with a Certificate error.

The outage stems from a bug related to the improper verification of the signature for Pulse Secure components. The check of the signature was performed on the certificate’s expiration date rather than the timestamp on a digitally signed file.

Experts noticed that the code-signing certificate used to sign the file has expired on April 12, which means that signature analyzed was considered not valid and caused the massive outage.

“Multiple functionalities/features fail for End-Users with a Certificate error.
This issue started on the 12th of April, 2021 after 12:00 am UTC time as the validity of the code signing certificate expired.” reads the security advisory published by Pulse. “The Code sign verification on the Client-Side components fails because the Certificate expiry time is checked as opposed to the timestamp of the Code signing.”

This issue impacted users of Pulse Connect Secure (PCC) and Pulse Policy Secure (PPS), below the list of affected products:

This impacts PCS/PPS.
This impacts the following releases,

9.1R11.x
9.1R10.x
9.1R9.x
9.1R8.x

3. This impacts only Windows End-Points.
4. The following features are impacted:

Terminal Services.
JSAM
HOB
CTS
VDI
Secure Meeting (Pulse Collaboration).
Host Checker.
Launching of PDC via browser.
SAML with External Browser with HC enabled.

The problem does not impact:

Users who access Pulse Desktop Client directly (Not Via a Browser).
macOS, Linux Users.
Release prior to 9.1R8.x

The company suggests users to Use Pulse Desktop Client, instead of launching it through the browser, as workaroud.

The following table reports the release timelines for the fixes,

Product	Release	ETA
PCS	9.1R11.x	12th April, 2021 (midnight PST)
PCS	9.1R8.x	13th April, 2021 (End of Day PST)
PCS	9.1R9.x	13th April, 2021 (End of Day PST)
PCS	9.1R10.x	14th April, 2021 (End of Day PST)

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, VPN)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.