Eclypsium experts have smashed the vaunted Pulse Secure security to smithereens.
A recent study of Ivanti's Pulse Secure device firmware sheds light on deep security issues in software supply chains. Eclypsium specialists have discovered numerous vulnerabilities that demonstrate the complexity of ensuring the protection of such software systems.
In their analysis, the researchers used reverse engineering to examine the firmware version 9.1.18.2-24467.1 used in the Pulse Secure hardware. It was revealed that the basis for the devices is the CentOS 6.4 operating system, based on Linux, which was released 11 years ago and has not received a security update for more than three years.
Increased attention to this issue is caused by the growing number of attacks on Ivanti products, including Connect Secure, Policy Secure and ZTA gateways. Attackers use the discovered vulnerabilities to spread malware, which puts users ' data and security at risk.
Among the actively exploited vulnerabilities identified were CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893. Additionally, Ivanti disclosed information about a new vulnerability CVE-2024-22024, which simplifies unauthorized access to protected resources.
The Eclypsium report highlights the use of legacy components in the firmware of Pulse Secure devices, including a version of Perl that hasn't been updated in 23 years, and a version of the Linux kernel that was discontinued in 2016. Such findings confirm the risk associated with the use of outdated software.
Further analysis by the researchers revealed more than 1,200 issues in command shell scripts and over 5,000 vulnerabilities in Python files, pointing to deep security issues in the firmware. In addition, 133 outdated certificates were found, which makes the situation even worse.
Particular attention was paid to the shortcomings of the integrity verification tool recommended by Ivanti. This tool skips scanning key directories, which theoretically allows attackers to bypass detection, creating a "false sense of security".
Based on these findings, Eclypsium demonstrated a theoretical attack in which an attacker could exploit a faulty integrity checking tool to covertly host malware.
In conclusion, the Eclypsium study is an important reminder of the importance of transparency and verifiability in digital supply chains. Only through an open and accessible process can software and hardware be effectively protected from threats, ensuring the security of users and data.
Eclypsium experts concluded that software and hardware vendors should build an open and transparent system for developing and supporting their products, enabling third-party organizations to independently assess their integrity and security.
"The more open this process is, the better we will be able to perform verification of the digital supply chain," the experts concluded.
A recent study of Ivanti's Pulse Secure device firmware sheds light on deep security issues in software supply chains. Eclypsium specialists have discovered numerous vulnerabilities that demonstrate the complexity of ensuring the protection of such software systems.
In their analysis, the researchers used reverse engineering to examine the firmware version 9.1.18.2-24467.1 used in the Pulse Secure hardware. It was revealed that the basis for the devices is the CentOS 6.4 operating system, based on Linux, which was released 11 years ago and has not received a security update for more than three years.
Increased attention to this issue is caused by the growing number of attacks on Ivanti products, including Connect Secure, Policy Secure and ZTA gateways. Attackers use the discovered vulnerabilities to spread malware, which puts users ' data and security at risk.
Among the actively exploited vulnerabilities identified were CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893. Additionally, Ivanti disclosed information about a new vulnerability CVE-2024-22024, which simplifies unauthorized access to protected resources.
The Eclypsium report highlights the use of legacy components in the firmware of Pulse Secure devices, including a version of Perl that hasn't been updated in 23 years, and a version of the Linux kernel that was discontinued in 2016. Such findings confirm the risk associated with the use of outdated software.
Further analysis by the researchers revealed more than 1,200 issues in command shell scripts and over 5,000 vulnerabilities in Python files, pointing to deep security issues in the firmware. In addition, 133 outdated certificates were found, which makes the situation even worse.
Particular attention was paid to the shortcomings of the integrity verification tool recommended by Ivanti. This tool skips scanning key directories, which theoretically allows attackers to bypass detection, creating a "false sense of security".
Based on these findings, Eclypsium demonstrated a theoretical attack in which an attacker could exploit a faulty integrity checking tool to covertly host malware.
In conclusion, the Eclypsium study is an important reminder of the importance of transparency and verifiability in digital supply chains. Only through an open and accessible process can software and hardware be effectively protected from threats, ensuring the security of users and data.
Eclypsium experts concluded that software and hardware vendors should build an open and transparent system for developing and supporting their products, enabling third-party organizations to independently assess their integrity and security.
"The more open this process is, the better we will be able to perform verification of the digital supply chain," the experts concluded.
