Found Ivanti Pulse Secure using an 11 year old Linux version and outdated libraries

Ivanti Pulse Secure

A reverse engineering of the firmware running on Ivanti Pulse Secure devices has revealed numerous weaknesses, further underscoring the challenge of securing software supply chains.

Eclypsiusm, which acquired firmware version 9.1.18.2-24467.1 as part of the process, says the base operating system used by the Utah-based software company for the device is CentOS 6.4.

“Pulse Secure runs an 11-year-old version of Linux that has been unsupported since November 2020,” says the firmware security company said in a report shared with The Hacker News.

This development comes as threat actors are taking advantage of a number of security flaws discovered in Ivanti Connect Secure, Policy Secure and ZTA gateways to deliver a wide range of malware including web shells, stealers and backdoors.

The vulnerabilities that have been actively exploited in recent months include CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. Last week, Ivanti also disclosed another bug in the software (CVE-2024-22024) that could allow threat actors to access otherwise restricted resources without any authentication.

With a warning published Yesterday, web infrastructure company Akamai said it has observed “significant scanning activity” targeting CVE-2024-22024 as of February 9, 2024, following the publication of a proof-of-concept (PoC) by watchTowr.

Eclypsium said it used a PoC exploit for CVE-2024-21893 released earlier this month by Rapid7 to obtain a reverse shell for the PSA3000 device, then export the device image for follow-up analysis using the EMBA firmware security analyzer.

Not only did this reveal some outdated packages – which confirmed this previous findings from security researcher Will Dormann – but also a number of vulnerable libraries that are cumulatively susceptible to 973 flaws, of which 111 have publicly known exploits.

1708011918 950 Found Ivanti Pulse Secure using an 11 year old
Number of scan requests per day targeting CVE-2024-22024

For example, Perl has not been updated since version 5.6.1, which was released 23 years ago on April 9, 2001. The Linux kernel version is 2.6.32, which reaches end of life (EoL) from March 2016.

“These legacy software packages are components in the Ivanti Connect Secure product,” Eclypsium said. “This is a perfect example of why visibility in digital supply chains is important and why enterprise customers are increasingly demanding SBOMs from their suppliers.”

Additionally, a deeper examination of the firmware revealed 1,216 issues in 76 shell scripts, 5,218 vulnerabilities in 5,392 Python files, in addition to 133 outdated certificates.

1708011918 338 Found Ivanti Pulse Secure using an 11 year old

The problems don’t end here, as Eclypsium has found a “security hole” in the logic of the Integrity Checker Tool (IT) that Ivanti has recommended its customers can use to look for indicators of compromise (IoCs).

Specifically, the script has been found to exclude more than a dozen directories such as /data, /etc, /tmp, and /var from scans, allowing an attacker to hypothetically deploy their persistent implants in any of these paths and still pass the flaw. integrity check. However, the tool scans the /home partition where all product-specific daemons and configuration files are stored.

As a result, Eclypsium found that deploying the Sliver post-exploitation framework in the /data directory and running IT reports presented no problems, suggesting the tool provides a “false sense of security.”

It is worth noting that threat actors have also been observed tampering with the built-in ICT on compromised Ivanti Connect Secure devices in an attempt to evade detection.

In a theoretical attack demonstrated by Eclypsium, a threat actor could drop their next-stage tools and store the collected information in the /data partition and then exploit another zero-day flaw to gain access to the device and to be able to exfiltrate the previously staged data. Meanwhile, the integrity tool detects no signs of abnormal activity.

“There must be a system of checks and balances that allows customers and third parties to validate product integrity and safety,” the company said. “The more open this process is, the better we can work to validate the digital supply chain, namely the hardware, firmware and software components used in their products.”

“If suppliers do not share information and/or do not use a closed system, validation becomes difficult, as does visibility. Attackers will most certainly, as has recently been shown, take advantage of this situation and exploit the lack of controls and visibility in the system .”



#Ivanti #Pulse #Secure #year #Linux #version #outdated #libraries

Total
0
Shares
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Previous Post
Cyber Espionage

US government disrupts Russian-linked botnet engaged in cyber espionage

Next Post
Russian Turla Hackers

Russian Turla Hackers Target Polish NGOs with New TinyTurla-NG Backdoor

Related Posts