A recent reverse engineering analysis of firmware running on Ivanti Pulse Secure devices has revealed several vulnerabilities, highlighting the ongoing struggle of securing software supply chains.
Eclypsiusm, who obtained firmware version 9.1.18.2-24467.1 as part of its investigation, found that the Utah-based software company’s device uses CentOS 6.4 as the base operating system. This version of Linux reached end-of-life in November 2020, making it a risky choice for the company’s security appliances.
Exploiting vulnerabilities in Ivanti Connect Secure, Policy Secure, and ZTA gateways, threat actors have been carrying out attacks involving various malware such as web shells, stealers, and backdoors. Notable among these vulnerabilities are CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, as well as CVE-2024-22024, disclosed recently by Ivanti.
Akamai has detected a surge in scanning activities targeting CVE-2024-22024, spreading through a PoC published by watchTowr, following the disclosure of the vulnerability. Eclypsium leveraged a PoC exploit for CVE-2024-21893 to gain access to the PSA3000 appliance and analyze the device using the EMBA firmware security analyzer.
This not only revealed outdated packages and vulnerable libraries in the Ivanti Connect Secure product but also identified 973 flaws, including 111 publicly known exploits, in the firmware.
Number of scanning requests per day targeting CVE-2024-22024
Eclypsium’s investigation also exposed numerous security weaknesses in the Ivanti Connect Secure product, including a number of outdated packages and vulnerable libraries that collectively account for 973 flaws, 111 of which have publicly known exploits. The outdated packages, such as Perl and the Linux kernel, pose significant security risks to the product.
Most alarmingly, Eclypsium discovered a “security hole” in Ivanti’s Integrity Checker Tool (ICT), thereby exposing the product’s integrity check mechanisms to vulnerabilities of their own. The tool was found to exclude several directories from scanning, potentially allowing attackers to bypass the integrity check.
As a result, the ICT gives a “false sense of security,” as it can be bypassed, allowing attackers to evade detection. Moreover, Eclypsium demonstrated a theoretical attack in which attackers could use the compromised device to exfiltrate data while slipping past the integrity check undetected.
The findings underscore the dire need for enhanced visibility into digital supply chains, warranting customers and third-parties to validate product integrity. By adopting a more open approach to sharing information, vendors can improve validation of their digital supply chain, making it harder for attackers to exploit the lack of controls and visibility into the system.
If you enjoyed this article, follow us on Twitter and LinkedIn for more exclusive content.