Ivanti Pulse Secure Found Using End of Life CentOS 6 OS

Rohan Timalsina

February 29, 2024 - TuxCare expert team

Ivanti Pulse Secure VPN appliances have recently been a target of several sophisticated attacks, highlighting the ongoing challenges in safeguarding critical IT infrastructure like network devices. UNC5221, a nation-state group, exploited these vulnerabilities until at least December 3, 2023, with subsequent mass exploitation by multiple groups. These incidents underscore the vulnerabilities inherent in network security devices, despite their intended role in enhancing organizational security.

However, during the reverse engineering of the firmware powering Ivanti devices, Eclypsium, a supply chain security company, unearthed numerous previously undisclosed issues. In this blog post, we will delve into the spectrum of vulnerabilities uncovered during this process and their wider ramifications for the cybersecurity landscape.

Eclypsium Exposed Ivanti Pulse Secure Firmware

Eclypsium mentioned that they utilized a PoC exploit for CVE-2024-21893, released by Rapid7, to establish a reverse shell to their lab device PSA3000. During the examination, they obtained firmware version 9.1.18.2-24467.1 and identified that the underlying operating system utilized by Ivanti Pulse Secure is CentOS 6.4. Alarmingly, this version of CentOS Linux is outdated after reaching the end of life on November 30th, 2020.

Subsequently, Eclypsium went for further analysis of the exported device image using the EMBA firmware security analyzer, which revealed the presence of several outdated packages in the Ivanti Connect Secure product. These include the Linux kernel version 2.6.32, which reached its end of life in February 2016, OpenSSL 1.0.2n (unsupported since December 2019), Python 2.6.6 (unsupported since October 2013), and Perl v5.6.1 released on April 9, 2001 for i386-linux, not x64. Additionally, numerous libraries were found to be outdated, with known CVEs and potential exploits. However, Bash 4.1.2, while being outdated, has been found patched for the Shellshock vulnerability.

Additionally, Eclypsium said that they found a Python script containing a significant security hole in its logic: “It excludes over a dozen directories from scanning, potentially allowing an attacker to hide persistent C2 implants in these paths without detection during integrity checks.”

Active Exploitation of Ivanti Products Vulnerabilities

These revelations come at a time when threat actors are actively exploiting security flaws in Ivanti Pulse Secure, Policy Secure, and ZTA gateways to distribute various forms of malware, including web shells, stealers, and backdoors. Notable vulnerabilities subject to exploitation include CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, and the recently disclosed CVE-2024-22024, which allows unauthorized access to restricted resources without authentication.

Securing CentOS 6 After End of Life

Organizations may keep running CentOS 6 after EOL, but without security updates, the new vulnerabilities in CentOS 6 servers will remain unpatched, exposing the applications and users to potential exploitation. A direct upgrade path from CentOS 6.x to 7.x is not available. Therefore, the recommended process involves backing up the CentOS 6.x server, performing a fresh installation of CentOS 7.x, and subsequently importing the backed-up data from the old CentOS 6.x server. However, the migration process is often a challenging and time-consuming task. Migrating from CentOS 6 to CentOS 7 requires careful planning and execution to ensure a smooth transition.

Alternatively, companies like Ivanti that are still running the outdated CentOS 6 OS can utilize TuxCare’s Extended Lifecycle Support to ensure the security and compliance of the CentOS 6 workloads. TuxCare provides security updates for CentOS 6, fixing high and critical vulnerabilities until November 2026. Extended support also gives enough time to plan the migration while keeping the system safe and secure.

The sources for this article include a story from Eclypsium.

Summary