Attack Surface Management
,
Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Outdated Software, Exploited Flaws, Security Loopholes Expose Ivanti’s Devices
Researchers found corporate VPN maker Ivanti’s Pulse Secure devices – which underwent much emergency patching amid a likely Chinese espionage zero-day hacking campaign – operate on an 11-year old version of Linux and use many obsolete software packages.
See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government
Supply chain security firm Eclypsium said Thursday it also discovered a flaw in a built-in Ivanti integrity checking tool – a scanning functionality Ivanti has repeatedly urged users to employ during an onslaught of attacks.
Likely Chinese nation-state hackers used a pair of zero-days starting in early December to penetrate gateways made by the Utah manufacturer. The company began rolling out patches in mid-January and discovered additional vulnerabilities, the most recent of which it disclosed on Feb. 8.
Akamai reported Wednesday that it had observed “significant scanning activity” searching for devices that are vulnerable to the most recent flaw, which is tracked as CVE-2024-22024. Scanning increased after researchers published a proof of concept on Feb. 9, Akamai said.
Eclypsium’s main gripe with Ivanti is that the company encrypts its firmware in a bid to prevent reverse engineering and that the encryption favors attackers since defenders cannot examine the underlying code. “The more open this process is, the better job we can do to validate the digital supply chain,” it said.
Researchers at the firm decrypted an Ivanti VPN image and discovered that the operating system was CentOS 6.4, which was first released in 2013 and reached end of life in November 2020. Ivanti appears to have stripped the base CentOS image down to the absolute minimum binaries, Eclypsium said.
It also found a Linux kernel that had reached end of life in February 2016, “a number of outdated libraries with known CVEs and exploits,” and a version of OpenSSL that had reached end of life in December 2017. Most of the graphical user interface, it said, is written in Perl and “presents a huge attack surface, which is no surprise, considering the constant stream of vulnerabilities being exploited.”
On the bright side, Eclypsium researchers said, the command shell had been patched against a 2014 vulnerability known as Shellshock
.
Eclypsium also faulted the Ivanti integrity checkers, saying the scanner excludes a dozen directories. An attacker might be able to leave a backdoor in those directories, the researchers said. Attackers could also stage data for exfiltration in unscanned directories and return after a patch with a new exploit to complete the data theft, they said.
“We can’t rely on vendors to deliver perfectly secure hardware and software,” Eclypsium said. “There must be a system of checks and balances that allows customers and third parties to validate product integrity and security.”