Pulse Secure problems? One of their code signing certs has expired

I had trouble connecting using Pulse Secure this morning, turns out the code signing certificate of the host checker has expired.

Here’s the KB: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44781

Edit1: KB updated 8:30AM GMT with more info. It’s not just the host checker that is the culprit as initially reported.

Edit2: Thread about the issue.

Edit3: Fix for 9.1R11.x was end of day April 12 PST but now says midnight. Ivanti has also put up a landing page with a statement from their President (video now removed).

Edit4: KB now says fix for 9.1R11.x is 13th April, 2021 (05:30 a.m PST).

Edit5: The KB now says the 9.1R11.x patch is available.

Edit6: Early access (aka “contact support”) patches available for 9.1R8, 9.1R9 and 9.1R10.

Edit7: Some users report that using the uninstall script linked in the KB article does not help. Manually removing two additional/all Pulse components worked for them. See here and here.

Edit8: The uninstall script and the manual instructions in the KB article has been updated to remove additional Pulse components.

I have 100s of users that are having issues. This is unacceptable.

Ivanti needs to burn management of this company and start from fresh.

Same issue here even without the host checker, though likely only an issue on machines where Pulse hasn’t run before.

Certs are like the new DNS.

I had a laugh/cry when I pulled up their cert. It’s 3 years old and we’ve gone thru how many appliance updates?! PulseSetupClient.exe cert

the KB Artical got updated

SynopsisThis article describes a situation where Multiple functionalities/features fail for End-Users with a Certificate error.Problem or GoalMultiple functionalities/features fail for End-Users with a Certificate error.

1. This impacts PCS/PPS.
2. This impacts the following releases,

• 9.1R11.x

• 9.1R10.x

• 9.1R9.x

• 9.1R8.x

   3. This impacts only Windows End-Points.  
   4. The following features are impacted:
  

• Terminal Services.

• JSAM

• HOB

• CTS

• VDI

• Secure Meeting (Pulse Collaboration).

• Host Checker.

• Launching of PDC via browser.

• SAML with External Browser with HC enabled.

This issue does not impact,

• Users who access Pulse Desktop Client directly (Not Via a Browser).
• macOS, Linux Users.
• Release prior to 9.1R8.x

CauseThe Code sign verification on the Client-Side components fails because the Certificate expiry time is checked as opposed to the timestamp of the Code signing.SolutionIvanti Engineering team is working on a fix based on 9.1R11.x. Expected by End of Day PST (12th April 2021 - Tentative).

We will also update the timelines of the fix based on 9.1R10, 9.1R9 & 9.1R8 as soon as possible.

Workaround:

• Roll back to a version prior to 9.1R8 if it is feasible.
• Use Pulse Desktop Client (Do not launch it through the browser).

birthday, day off today, phones been going all morning.

no fix as of yet.

​

disabled host checker, terminal services client then fails

i added HTML5 access and it has got people working, thanks for the suggestion, i forgot about that.

Thanks dude, was about to go completely mad.

But still, wtf is it checking? Users are already authenticated with 2FA. anyone got some more info?

Same here, we were given an ETR of approximately 02:15 - 04:00 (eastern time) and it’s still exhibiting the same behavior.

Same problem here…

My VDI users can’t work anymore…what a shit

Well, they just put the fix up. I didn’t think my opinion of Pulse could go any lower, but here we are.

Pulse/Ivanti truly are a bunch of clowns.

New update from them. Are they serious??

General Guidelines to install the fix :

1. The solution would involve upgrading the PCS server as well as clearing the older Pulse Secure components on the End-User devices

Note - End-Users who do not have any Pulse Secure components already installed, can skip Step # 2.

   2. The End User devices that have Pulse Secure components already installed would need to follow one of the two methods outlined below:

• Run the attached BAT Script (UninstallPSALAndPSC.bat).

Note - This would need End-users to have admin privileges.

• Manually remove PSAL and Setup Client components,

        a. Navigate to Control Panel -> Programs and Features  
        b  Select “Pulse Application Launcher”  
        c. Right Click and Uninstall.  
        d. Select “Pulse Secure Setup Client”  
        e. Right Click and Uninstall.
  

We have this issue too, and I’ve directed users to use HTML5 Access Sessions for now. Working fine until they resolve this…

TS impacted here. Date change on the local system worked. Not recommending, but for our byod from home policy, the users have the access to change the date. Able to change the date, click on the TS link, log in, minimize the session, and change the date right back. Only shared the workaround with our power users since they need the rich client, HTML5 link for everyone else.

We will sue Pulse Secure for this. Our customers are suing us for this, so we will sue Pulse Secure/Ivanti.

The KB site, says contact support for the patch, dont bother, i was just in a queue for over 30mins, just to be told will have to wait until its available on the download site.

Support dont have access to the download link yet…

Finished applying PCS update. So far no issues found, but will update if I hear anything different.

As for the client pieces:

• Do NOT use IE as the browser to reinstall the client pieces - there was a known issue on that KB that mentioned something about IE, but it wasn’t clear what it meant. It was removed between this morning and this post from the KB. IE workflow during the different updates was slow as dirt, and didn’t install completely on one of the computers we tested. (Looking at an apps list, there’s duplicate copies of the Setup Client and the Activex client on computers that have attempted installs using IE)
• We’ve encountered an issue a few times where just uninstalling the Application Manager and the Secure Setup Client doesn’t fix the problem. Not sure if it’s just us or not, or if we needed to reboot in between uninstall and install. We’re going to be sending out instructions to uninstall everything, restart their computer, then go through the process of installing.

We are also having the issue. anyone know of a workaround or fix? did anyone try the latest firmware?

​

From what they said in that KB article it seems like this caught them off guard.

out always on stuff seems to be working for now.

My company offshored End user support about 3 weeks ago. They used VDI infrastructure to support said company. Said offshore employees can not access their vdi’s to support end users due to this issue. Luckily N.A support was not dissolved yet, and calls were sent back to original site… pending restoration of services…today was rough

Still 1 hour to wait…because for the moment still no patch available.