A recent report published by supply chain security vendor Eclypsium has revealed that Ivanti’s Pulse Secure firmware is plagued with numerous undisclosed issues, including the presence of outdated and unsupported software components. This news comes in the wake of multiple zero-day vulnerabilities that have been exploited in Ivanti software in recent weeks.
In January, Ivanti patched two critical zero-day vulnerabilities in its Ivanti Policy Secure (IPS) and Ivanti Connect Secure (ICS) software, tracked as CVE-2023-46805 and CVE-2024-21887. Both flaws were found to be capable of remote code execution. According to researchers from Volexity and Google Cloud’s Mandiant, a Chinese nation-state threat actor was initially credited with exploiting these vulnerabilities, though a wider range of attackers has since targeted the flaws.
In addition to these vulnerabilities, Ivanti disclosed two new bugs in IPS and ICS later in January. One of these flaws, CVE-2024-21888, is a privilege escalation flaw, while the other, CVE-2024-21893, is a server-side request forgery. Ivanti confirmed that the latter vulnerability was being actively targeted in attacks.
Eclypsium’s recent research focused on the reverse-engineering of the firmware for Ivanti’s Pulse Secure product, specifically its ICS. The researchers encountered encrypted firmware images when they attempted to analyze a trial version of Pulse Secure. Subsequently, they decided to exploit a real hardware device and dump its firmware for analysis, which they found to be surprisingly easy.
After conducting a thorough analysis, Eclypsium’s researchers uncovered several key findings. The research revealed that Ivanti’s devices use an outdated version of Linux for their operating system, which is several years past its end-of-life date. Additionally, the analysis identified multiple outdated packages, including the Linux kernel, OpenSSL, Python, Perl, and Bash, among others.
Furthermore, Eclypsium discovered a significant security flaw in Ivanti’s Integrity Checker Tool, which is used to verify the integrity of customer products. The researchers found that the tool excludes over a dozen directories from being scanned, potentially allowing an attacker to leave behind persistent implants undetected.
Nate Warfield, director of threat research and intelligence at Eclypsium, emphasized the increasing appeal of network devices like Ivanti’s for threat actors due to their exposure to the internet and the lack of endpoint detection and response products. Warfield further highlighted the importance of transparency in the supply chain to address the root issue of poor product security practices on the part of network device vendors.
The report’s release coincides with efforts by the U.S. government to hold software vendors accountable for insecure products with significant vulnerabilities. The Biden administration proposed shifting liability for such insecure products to the developers and vendors as part of a new National Cybersecurity Strategy released last March.
In response to the report, Ivanti has been contacted for additional comments. The recent findings from Eclypsium’s research underscore the critical importance of implementing security practices and transparency in the supply chain to mitigate vulnerabilities in network devices.