Ivanti Pulse Safe Discovered Utilizing 11-12 months-Previous Linux Model and Outdated Libraries

A reverse engineering of the firmware operating on Ivanti Pulse Safe home equipment has revealed quite a few weaknesses, as soon as once more underscoring the problem of securing software program provide chains.

Eclypsiusm, which acquired firmware model 9.1.18.2-24467.1 as a part of the method, mentioned the bottom working system utilized by the Utah-based software program firm for the system is CentOS 6.4.

“Pulse Safe runs an 11-year-old model of Linux which hasn’t been supported since November 2020,” the firmware safety firm mentioned in a report shared with The Hacker Information.

The event comes as risk actors are capitalizing on quite a lot of safety flaws found in Ivanti Join Safe, Coverage Safe, and ZTA gateways to ship a wide selection of malware, together with internet shells, stealers, and backdoors.

The vulnerabilities which have come underneath energetic exploitation in current months comprise CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. Final week, Ivanti additionally disclosed one other bug within the software program (CVE-2024-22024) that might allow risk actors to entry in any other case restricted assets with none authentication.

In an alert revealed yesterday, internet infrastructure firm Akamai mentioned it has noticed “important scanning exercise” concentrating on CVE-2024-22024 beginning February 9, 2024, following the publication of a proof-of-concept (PoC) by watchTowr.

Eclypsium mentioned it leveraged a PoC exploit for CVE-2024-21893 that was launched by Rapid7 earlier this month to acquire a reverse shell to the PSA3000 equipment, subsequently exporting the system picture for follow-on evaluation utilizing the EMBA firmware safety analyzer.

This not solely uncovered quite a lot of outdated packages – corroborating earlier findings from safety researcher Will Dormann – but additionally quite a lot of weak libraries which are cumulatively inclined to 973 flaws, out of which 111 have publicly identified exploits.

Variety of scanning requests per day concentrating on CVE-2024-22024

Perl, as an example, hasn’t been up to date since model 5.6.1, which was launched 23 years in the past on April 9, 2001. The Linux kernel model is 2.6.32, which reached end-of-life (EoL) as of March 2016.

“These previous software program packages are elements within the Ivanti Join Safe product,” Eclypsium mentioned. “This can be a good instance as to why visibility into digital provide chains is vital and why enterprise clients are more and more demanding SBOMs from their distributors.”

Moreover, a deeper examination of the firmware unearthed 1,216 points in 76 shell scripts, 5,218 vulnerabilities in 5,392 Python recordsdata, along with 133 outdated certificates.

The problems do not finish there, for Eclypsium discovered a “safety gap” within the logic of the Integrity Checker Software (ICT) that Ivanti has really useful its clients to make use of with the intention to search for indicators of compromise (IoCs).

Particularly, the script has been discovered to exclude over a dozen directories corresponding to /knowledge, /and so on, /tmp, and /var from being scanned, thereby hypothetically permitting an attacker to deploy their persistent implants in one in every of these paths and nonetheless move the integrity examine. The software, nevertheless, scans the /residence partition that shops all product-specific daemons and configuration recordsdata.

In consequence, deploying the Sliver post-exploitation framework to the /knowledge listing and executing ICT studies no points, Eclypsium found, suggesting that the software supplies a “false sense of safety.”

It is price noting that risk actors have additionally been noticed tampering with the built-in ICT on compromised Ivanti Join Safe gadgets in an try and sidestep detection.

In a theoretical assault demonstrated by Eclypsium, a risk actor may drop their next-stage tooling and retailer the harvested info within the /knowledge partition after which abuse one other zero-day flaw to realize entry to the system and exfiltrate the info staged beforehand, all of the whereas the integrity software detects no indicators of anomalous exercise.

“There should be a system of checks and balances that permits clients and third-parties to validate product integrity and safety,” the corporate mentioned. “The extra open this course of is, the higher job we are able to do to validate the digital provide chain, particularly the {hardware}, firmware, and software program elements used of their merchandise.”

“When distributors don’t share info and/or function a closed system, validation turns into tough, as does visibility. Attackers will most actually, as evidenced not too long ago, make the most of this case and exploit the shortage of controls and visibility into the system.”