SBOM in Action : Ivanti Pulse Firmware

SBOM empowers customers to incentivize security-aware decision-making.
February 22, 2024

Ivanti — the company behind Connect Secure VPN products — is going through a crisis.

Ivanti Pulse has recently become an obsession of attackers and researchers.

This led researchers at Eclypsium to analyze the composition of its firmware.

Bad News

And it did not look good. The research suggests firmware is built on a version of the Linux kernel that ended life in 2016, along with versions of packages as old as 23 years.

The component age alone is not necessarily a sure risk.

However, when combined with a lack of transparency, it creates the impression of an organization prioritizing low build cost over effective security practices.

Without incentives to promote such transparency, more organizations will be struggling with security and reputational concerns simultaneously.

Good News

The good news is that software transparency with SBOM helps.

SBOM empowers customers to see through such practices and incentivizes security-aware decision-making.

If Ivanti published or privately Shared SBOM, analyzing it for vulnerability and support level of components would be trivial.

At Interlynk, it took us less than two minutes to build Ivanti’s SBOM from scratch based on the published research (focus only on outrageously outdated components).

Interlynk’s vulnerability scan instantly showed 35 Critical, 798 High, and 1099 Medium vulnerabilities.

That could be the first set of customer questions.

We then switched to the Support tab to find the details matching the findings of Eclypsium researchers.

Those would be the follow-up questions to Ivanti.

Interlynk believes software transparency creates the appropriate incentive for balancing build-cost and security. And with the state-of-the-art integrations in place, analyzing SBOM with Interlynk is as trivial as drag-and-drop. We hope such transparency will save software vendors and consumers much downstream maintenance and reputational costs and save IT teams from preventable crises.