Thousands of Vulnerabilities Found in Pulse Secure

A recent investigation into the firmware of Pulse Secure devices by Ivanti has illuminated profound security vulnerabilities within software supply chains. Specialists at Eclypsium uncovered numerous vulnerabilities, showcasing the complexity of safeguarding such software systems.

During their analysis, researchers employed reverse engineering to examine the firmware version 9.1.18.2-24467.1 utilized in Pulse Secure hardware. They discovered that the foundation for the devices is the CentOS 6.4 operating system, based on Linux, which was released 11 years ago and has not received security updates for over three years.

This issue has garnered increased attention due to a recent surge in attacks on Ivanti products, including Connect Secure, Policy Secure, and ZTA gateways. Malefactors exploit these vulnerabilities to disseminate malware, compromising user data and security.

Among the vulnerabilities actively exploited were identified as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. Additionally, Ivanti disclosed information about a new vulnerability, CVE-2024-22024, which facilitates unauthorized access to protected resources.

The Eclypsium report highlights the use of outdated components in the Pulse Secure device firmware, including a version of Perl that hasn’t been updated in 23 years, and a version of the Linux kernel whose support ended in 2016. Such findings underscore the risks associated with using obsolete software.

Further analysis by the researchers revealed over 1200 issues in shell scripts and more than 5000 vulnerabilities in Python files, indicating deep-seated security problems in the firmware. Moreover, 133 obsolete certificates were found, further exacerbating the situation.

Particular attention was given to the shortcomings of the integrity-checking tool recommended by Ivanti. This tool skips scanning key directories, theoretically allowing malefactors to bypass detection, creating a “false sense of security.”

Based on these findings, Eclypsium demonstrated a theoretical attack in which a malefactor could exploit the flaws of the integrity checking tool to covertly place malware.

Eclypsium experts concluded that software and hardware suppliers must establish an open and transparent system of development and support for their products, allowing third-party organizations to independently assess their integrity and security.

“The more open this process is, the better job we can do to validate the digital supply chain, namely the hardware, firmware, and software components used in their products,” the specialists concluded.