A reverse engineering of the firmware running on Ivanti Pulse Secure devices has revealed numerous weaknesses, once again underlining the challenge of securing software supply chains.
Eclypsiusm, which acquired firmware version 9.1.18.2-24467.1 as part of the trial, said the base operating system used by the Utah-based software company for the device is CentOS 6.4.
“Pulse Secure runs an 11-year-old version of Linux that is no longer supported as of November 2020,” the firmware security company said in a report shared with The Hacker News.
The development comes as threat actors are exploiting a number of security flaws discovered in Ivanti Connect Secure, Policy Secure and ZTA gateways to deliver a wide range of malware, including web shells, stealers and backdoors.
Vulnerabilities that have been actively exploited in recent months include CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. Last week, Ivanti also disclosed another bug in the software (CVE-2024-22024) that could allow threat actors to access otherwise limited resources without any authentication.
In an advisory published yesterday, web infrastructure company Akamai said it observed “significant scanning activity” targeting CVE-2024-22024 starting on February 9, 2024, following the publication of a proof-of-concept (PoC) by watchTowr.
Eclypsium said it exploited a PoC exploit for CVE-2024-21893 released by Rapid7 earlier this month to gain a reverse shell on the PSA3000 appliance, subsequently exporting the device image for later analysis using the analyzer EMBA firmware security.
This not only uncovered a number of outdated packages, which is confirmatory previous results by security researcher Will Dormann – but also a set of vulnerable libraries that are cumulatively susceptible to 973 flaws, of which 111 have publicly known exploits.
Number of scan requests per day targeting CVE-2024-22024 |
Perl, for example, has not been updated since version 5.6.1, released 23 years ago, on April 9, 2001. The Linux kernel version is 2.6.32, which reached end of life (EoL) in March . 2016.
“These older software packages are components of the Ivanti Connect Secure product,” Eclypsium said. “This is a perfect example of why visibility into digital supply chains is important and why enterprise customers are increasingly demanding SBOM from their suppliers.”
Additionally, a deeper examination of the firmware uncovered 1,216 issues in 76 shell scripts, 5,218 vulnerabilities in 5,392 Python files, as well as 133 outdated certificates.
The problems don’t end there, because Eclypsium found a “security hole” in the logic of the Integrity Checker Tool (ICT) that Ivanti advised its customers to use to look for indicators of compromise (IoC).
Specifically, the script was found to exclude over a dozen directories such as /data, /etc, /tmp, and /var from scanning, thus hypothetically allowing an attacker to deploy their own persistent implants in one of these paths and still pass the file integrity check. The tool, however, scans the /home partition that stores all product-specific daemons and configuration files.
As a result, implementing the Sliver post-exploitation framework in the /data directory and running ICT reports no problems, Eclypsium found, suggesting that the tool provides a “false sense of security.”
It is worth noting that threat actors have also been observed tampering with the integrated ICT on compromised Ivanti Connect Secure devices in an attempt to evade detection.
In a theoretical attack demonstrated by Eclypsium, a threat actor could abandon next-stage tools and store gathered information in the /data partition and then abuse another zero-day flaw to gain access to the device and exfiltrate the data staged previously, all the while the integrity tool detects no signs of anomalous activity.
“There must be a system of checks and balances that allows customers and third parties to validate the integrity and safety of the product,” the company said. “The more open this process is, the better job we can do to validate the digital supply chain, i.e. the hardware, firmware and software components used in their products.”
“When vendors do not share information and/or operate a closed system, validation becomes difficult, as does visibility. Attackers will certainly, as highlighted recently, take advantage of this situation and exploit the lack of controls and visibility in the system .”