Incident: Expired Code Prevents Access to Pulse Secure VPN for Remote Employees

Published Date: 2021-04-12

Postmortem Analysis
Timeline 1. The software failure incident with Pulse Secure VPN happened on Monday, as mentioned in the article [113033]. Therefore, the estimated timeline for the incident would be: Step 1: The incident occurred on a Monday. Step 2: The article was published on 2021-04-12. Step 3: Based on the above information, the incident likely occurred on Monday, 2021-04-12.
System 1. Pulse Secure VPN system [113033] 2. Code used to digitally sign and verify software components [113033]
Responsible Organization 1. The software failure incident with Pulse Secure VPN was caused by an expired code used to digitally sign and verify software components, leading to users being unable to connect to the service [113033].
Impacted Organization 1. Employees worldwide working remotely for more than 24,000 companies were impacted by the software failure incident with Pulse Secure VPN [113033].
Software Causes 1. The software failure incident was caused by an expired code used to digitally sign and verify software components, leading to users being unable to connect to Pulse Secure VPN [113033]. 2. The issue stemmed from a Certificate error where the Code sign verification on the Client-Side components failed due to the Certificate expiry time being checked instead of the timestamp of the Code signing [113033].
Non-software Causes 1. The failure incident was caused by an expired code used to digitally sign and verify software components, leading to users being unable to access internal work resources [113033].
Impacts 1. Employees worldwide were unable to connect to Pulse Secure VPN, impacting their ability to access internal work resources remotely [113033]. 2. More than 24,000 companies and nearly 25 million endpoints relying on Pulse Secure faced disruptions in their daily work operations [113033]. 3. Users had to seek advice on Pulse Secure support forums and wait for an update from Pulse to resolve the issue [113033]. 4. Multiple functionalities/features failed for end-users with a certificate error, affecting their ability to carry out operations as usual [113033]. 5. The software failure incident did not impact users accessing Pulse Desktop Client directly or those using macOS and Linux, prompting the firm to suggest using Pulse Desktop Client as a workaround until the issue is fixed [113033].
Preventions 1. Regularly updating and renewing digital certificates used for code signing could have prevented the software failure incident [113033]. 2. Implementing proper monitoring and alert systems to notify administrators of expiring certificates in advance could have helped prevent the issue [113033]. 3. Conducting thorough testing and validation of software components to ensure they function correctly before deployment could have identified the expired code issue earlier and prevented the incident [113033].
Fixes 1. Updating the expired code used to digitally sign and verify software components [113033] 2. Waiting for an update from Pulse Secure to address the issue [113033] 3. Using Pulse Desktop Client directly instead of accessing through a browser as a workaround until the issue is fixed [113033]
References 1. Bleeping Computer [Article 113033] 2. Pulse Secure forums [Article 113033] 3. Pulse Secure support bulletin [Article 113033]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident has happened again at one_organization: - In August 2020, security researchers discovered a vulnerability in Pulse Secure VPN that could be used by hackers to take control of an enterprise's entire network [113033]. - This incident indicates a previous software vulnerability within the Pulse Secure VPN service, suggesting a recurring issue within the same organization's product. (b) The software failure incident has happened again at multiple_organization: - There is no specific mention in the provided article about similar incidents happening at other organizations or with their products and services.
Phase (Design/Operation) design, operation (a) The software failure incident in the Pulse Secure VPN service was due to an expired code used to digitally sign and verify software components. This issue arose from a design flaw in the system development process, specifically related to the handling of certificate expiry time versus the timestamp of the code signing [113033]. (b) Users were unable to connect to the Pulse Secure VPN service, impacting their ability to access internal work resources. This failure was a result of the operation of the system, as users were unable to carry out their daily work operations due to the expired code blocking their access [113033].
Boundary (Internal/External) within_system (a) within_system: The software failure incident with Pulse Secure VPN was caused by an expired code used to digitally sign and verify software components within the system. This issue led to users being unable to connect to their company's resources via their web browser [113033]. (b) outside_system: The software failure incident with Pulse Secure VPN was not due to contributing factors that originate from outside the system.
Nature (Human/Non-human) non-human_actions (a) The software failure incident occurring due to non-human actions: The software failure incident with Pulse Secure VPN was caused by an expired code used to digitally sign and verify software components. This issue led to users worldwide being unable to connect to the VPN service, impacting employees working remotely [113033]. (b) The software failure incident occurring due to human actions: There is no specific mention in the provided article about the software failure incident being caused by human actions.
Dimension (Hardware/Software) software (a) The software failure incident in the article is not attributed to hardware issues. The root cause of the problem was identified as an expired code used to digitally sign and verify software components, which prevented users from connecting to their company's resources via their web browser [113033]. (b) The software failure incident in the article is directly related to software issues. Specifically, the issue stemmed from an expired code used to digitally sign and verify software components, leading to users being unable to access internal work resources through the Pulse Secure VPN service [113033].
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident in this case is non-malicious. The issue stemmed from an expired code used to digitally sign and verify software components, which led to users being unable to connect to the Pulse Secure VPN service. This was not an intentional act to harm the system but rather a result of an oversight in managing the certificate expiry time [113033].
Intent (Poor/Accidental Decisions) poor_decisions (a) The software failure incident related to the Pulse Secure VPN service was primarily due to poor decisions. The issue stemmed from an expired code used to digitally sign and verify software components, which led to users being unable to access internal work resources [113033]. The failure was attributed to the Certificate expiry time being checked instead of the timestamp of the Code signing, causing multiple functionalities/features to fail for end-users [113033]. Additionally, the incident highlighted a vulnerability in the system that could potentially be exploited by hackers, indicating a lack of robust security measures in place [113033].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident in the Pulse Secure VPN service was due to development incompetence. The issue stemmed from an expired code used to digitally sign and verify software components, which led to users being unable to access internal work resources [113033]. (b) Additionally, the incident can be considered accidental as the Certificate expiry time was checked instead of the timestamp of the Code signing, leading to the failure in code sign verification on the client-side components [113033].
Duration temporary From the provided articles, the software failure incident related to the Pulse Secure VPN service being unable to connect due to an expired code used to digitally sign and verify software components can be categorized as a temporary failure. This is evident from the fact that the issue stemmed from an expired code causing a certificate error, which was identified as the reason for the connectivity problem. The support bulletin released by Pulse Secure acknowledged that multiple functionalities/features were failing for end-users due to the certificate error, indicating a specific issue with the code sign verification process [113033]. Additionally, the workaround suggested by the firm to use the Pulse Desktop Client directly instead of through a browser for unaffected users further supports the notion that the failure was temporary and could be mitigated by specific actions [113033].
Behaviour value (a) crash: The software failure incident in the article is not described as a crash where the system loses state and does not perform any of its intended functions [113033]. (b) omission: The software failure incident in the article is not described as an omission where the system omits to perform its intended functions at an instance(s) [113033]. (c) timing: The software failure incident in the article is not described as a timing issue where the system performs its intended functions correctly, but too late or too early [113033]. (d) value: The software failure incident in the article is described as a failure due to the system performing its intended functions incorrectly. Specifically, the issue stems from an expired code used to digitally sign and verify software components, blocking users from connecting to their company's resources via their web browser [113033]. (e) byzantine: The software failure incident in the article is not described as a byzantine failure where the system behaves erroneously with inconsistent responses and interactions [113033]. (f) other: The software failure incident in the article is not described as any other specific behavior beyond the incorrect performance of intended functions due to the expired code issue [113033].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, delay (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident with Pulse Secure VPN resulted in users being unable to access their company's resources via their web browser, impacting their ability to perform daily work operations [113033]. - The issue was caused by an expired code used to digitally sign and verify software components, which blocked users from connecting to their company's resources [113033]. - Users worldwide, including employees working remotely, were affected by the inability to connect to Pulse Secure VPN, a service relied upon by more than 24,000 companies and nearly 25 million endpoints [113033]. - The software failure led to users seeking advice on Pulse Secure support forums and waiting for an update from Pulse to resolve the issue [113033].
Domain information, finance (a) The software failure incident affected the information industry as it impacted employees working remotely who rely on Pulse Secure VPN for secure access to internal work resources [113033]. (h) The incident also had implications for the finance industry as employees were unable to carry out daily work operations due to the software failure, potentially impacting financial transactions and operations [113033]. (m) The software failure incident could also be related to the technology industry, as Pulse Secure VPN is a service that provides secure access for employees working remotely, which is a technology solution utilized by numerous companies [113033].

Sources

Back to List