February 15, 2024 at 10:18AM
A firmware reverse engineering of Ivanti Pulse Secure revealed outdated, vulnerable software components in the Utah-based company’s appliance. Active exploitation of security flaws in related gateways has been observed. Eclypsium found outdated packages and vulnerable libraries, emphasizing the need for visibility into digital supply chains. Concerns about security holes in Integrity Checker Tool were also uncovered.
From the meeting notes, the key takeaways are:
– The Ivanti Pulse Secure appliance’s firmware has been reverse engineered, exposing numerous weaknesses and vulnerabilities in the software supply chain security.
– The base operating system used by Ivanti for the device is an 11-year-old version of CentOS 6.4, which ceased support in November 2020.
– Threat actors have exploited multiple security flaws in Ivanti Connect Secure, Policy Secure, and ZTA gateways, utilizing malware such as web shells, stealers, and backdoors.
– Active exploitation of vulnerabilities like CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 has been observed, with Akamai noting significant scanning activity targeting CVE-2024-22024.
– Outdated packages, vulnerable libraries, and numerous security flaws have been identified, underscoring the critical need for visibility into digital supply chains and demand for SBOMs from vendors by enterprise customers.
– The firmware analysis revealed numerous issues, including outdated packages, vulnerable libraries, and a loophole in the Integrity Checker Tool that could allow attackers to bypass detection.
– The findings underscore the importance of checks and balances in validating product integrity and security, particularly in the digital supply chain, and the need for open processes to enable better validation and visibility.
These takeaways highlight the urgent need for addressing the identified weaknesses and vulnerabilities in the Ivanti Pulse Secure appliance firmware and emphasize the critical importance of secure software supply chains, customer validation, and transparency in the digital supply chain.