Eclypsium: Ivanti firmware has 'plethora' of security issues

Supply chain security vendor Eclypsium published research Thursday claiming Ivanti's Pulse Secure firmware has "a plethora of previously unreported problems," including multiple outdated and unsupported software components.

Eclypsium's research comes on the heels of several zero-day vulnerabilities exploited in Ivanti software in recent weeks. In late January, Ivanti patched two critical zero-day vulnerabilities in its Ivanti Policy Secure (IPS) and Ivanti Connect Secure (ICS) software, tracked as CVE-2023-46805 and CVE-2024-21887. Both flaws, which Volexity disclosed on Jan. 10, are capable of remote code execution. Researchers from both Volexity and Google Cloud's Mandiant credited an initial wave of attacks in December to a Chinese nation-state threat actor, but a wide range of actors have reportedly exploited the flaws since.

Later in January, Ivanti also disclosed two new bugs in IPS and ICS. One, CVE-2024-21888, is a privilege escalation flaw, and CVE-2024-21893 is a server-side request forgery. Ivanti said at the time that the latter was being targeted in attacks.

Eclypsium's research, published as a blog post, is based on the vendor reverse-engineering firmware for ICS in Ivanti's Pulse Secure product.

Researchers said they downloaded a trial version of Pulse Secure to analyze its firmware, but found that the firmware image was encrypted. They then decided to exploit a real hardware device and dump its firmware for analysis. "This proved far easier than we expected," the blog post read.

Along with a Pulse Secure Appliance 3000, Eclypsium researchers used a short proof-of-concept exploit based on Rapid7 research as well as a reverse shell to compromise the firmware. Eclypsium noted that the exploit itself was short enough to fit "in a tweet." The reverse shell code was only marginally larger.

Full technical details are available in the blog post. Though the research does not introduce new vulnerabilities, Eclypsium researchers argued that the firmware contains several weaknesses outside the scope of the flaws that have been disclosed recently.

For example, researchers found out that Ivanti was using a version of Linux for its devices' operating system that was several years out of date.

"After exfiltrating the /data partition we turned our attention to the rest of the device. This is probably a good time to point out what base operating system Ivanti is using: CentOS 6.4; which was released in 2013 and officially end of life in 2020," the blog post read. "You read that correctly: Pulse Secure runs an 11-year-old version of Linux which hasn't been supported since November 2020."

Beyond CentOS 6.4, analysis conducted using the EMBA firmware analysis tool found several outdated packages, including Linux kernel 2.6.32, with a February 2016 end of life; OpenSSL 1.0.2n, dated December 2017; Python 2.6.6, dated August 2010; Perl 5.6.1 built for i386 Linux, not x64, dated April 2001; Bash 4.1.2 and others.

"These old software packages are components in the Ivanti Connect Secure product," Eclypsium said. "This is a perfect example as to why visibility into digital supply chains is important and why enterprise customers are increasingly demanding SBOMs [software bills of materials] from their vendors."

Researchers also called attention to Ivanti's Integrity Checker Tool, which is used to confirm that no abnormal changes have been made to a customer's product. Eclypsium found a "huge security hole" in the logic of the Python script used to conduct analysis. "[The tool] excludes over a dozen directories from being scanned, meaning an attacker could theoretically leave their persistent C2 implants in one of these paths and the device will still pass the integrity check," the blog post read.

Researchers then tested their theory and placed a copy of Sliver C2, a widely used open source red team tool, into a folder before running the integrity tool. "It reported perfectly clean," Eclypsium said.

Nate Warfield, director of threat research and intelligence at Eclypsium, told TechTarget Editorial in an email that threat actors are increasingly targeting network devices such as Ivanti's because the devices need to be exposed to the internet and do not support endpoint detection and response products.

"This makes these network devices particularly appealing to attackers who can use them to pivot inside networks and evade detection," he said. "Poor product security practices on the part of network device vendors doesn't help, but the obscurity of what goes on inside these devices prevents this from seeing the light of day."

Eclypsium's findings come in the wake of efforts by the U.S. government to hold software vendors accountable for insecure products with significant weaknesses and vulnerabilities. Last March, the Biden administration released a new National Cybersecurity Strategy that proposed shifting liability for such insecure products to the developers and vendors.

Though Warfield called the shift "probably a good thing overall," he felt that the root issue was a lack of transparency from software vendors.

"We find ourselves in this mess because the supply chain obscures the use of secure practices, policies and technologies," he said. "Unfortunately, this obscurity occurs in the most critical foundation of our software, firmware and hardware. Liability changes may help, but the real solution will only come from transparency throughout the supply chain. Everyone in the community of developers and manufacturers needs to help enable this transparency."

TechTarget Editorial has reached out to Ivanti for additional comment.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.