Original post date: May 15, 2024
Last updated: July 17, 2024
This is my subjective choice of security events from April 2024 that might interest embedded developers.
For transparency, I mark with (*) events I have been involved with and events by organizations I’m involved with. I am also a guest author at LWN.net, but I have not written any of the articles linked this month.
From March 29: the XZ issue – a backdoor was detected in a frequently used XZ library. The discussion starting with the announcement at oss-security is rich in details: https://www.openwall.com/lists/oss-security/2024/03/29/4 For a summary and community reactions, see LWN coverage https://lwn.net/Articles/967192/ and https://lwn.net/Articles/967866/ , RedHat’s view https://www.redhat.com/en/blog/understanding-red-hats-response-xz-security-incident , the timeline https://boehs.org/node/everything-i-know-about-the-xz-backdoor and the CVE entry with numerous resources https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
April 4: (*) HTTP/2 CONTINUATION frame issue published – a common implementation issue in the HTTP/s protocol that affects multiple HTTP servers and can result in a Denial of Service (DoS). The original advisory includes technical details https://nowotarski.info/http2-continuation-flood-technical-details/ Impacted projects include the Apache HTTP Server, Apache Tomcat, Golang, Node.js, nghttp2, and more
April 5: (*) several open-source foundations announce an initiative to work together on specifications needed by the upcoming CRA (Cyber Resilience Act) https://eclipse-foundation.blog/2024/04/02/open-source-community-cra-compliance/
April 9: another Spectre v2 attack (for x86) was fixed in the Linux kernel. This time, an attacker can influence the indirect branch prediction. The commit message contains technical details of the fix https://git.kernel.org/linus/7390db8aea0d and the CERT advisory describes the possible attack https://kb.cert.org/vuls/id/155143
April 11: An issue was discovered in Buildroot: /dev/shm a the special file was missing the sticky bit. The issue does not affect configurations with systemd and has been assigned CVE-2024-34455 and is fixed with commit 0b2967e158 (package/skeleton-init-sysv: Set sticky bit on /dev/shm).
April 14: a discussion started about a recommendation to turn off network namespaces in Linux, as they allow exploitation of specific vulnerabilities. Start of the discussion that also mentions issues with user namespaces: https://www.openwall.com/lists/oss-security/2024/04/14/1
April 15: a popular SSH client, PuTTY (also bundled into other products), receives a critical fix for an issue that could allow an attacker to recover private keys (CVE-2024-31497). According to the announcement https://seclists.org/oss-sec/2024/q2/122 all NIST P-521 client keys used with PuTTY should be considered compromised.
April 16: Fabien Parent delivers a speech during Embedded Open Source Summit 2024 about the work on creating Linux kernel modules in Rust. The main blocking point is that many kernel maintainers do not know Rust and aren’t eager to accept the code they will have difficulties maintaining. Video and slides are available from: https://eoss24.sched.com/event/1aBEz/from-c-to-rust-bringing-rust-abstractions-to-embedded-linux-fabien-parent-linaro LWN writeup: https://lwn.net/Articles/970216/
April 20: Misleading links to GitHub are used in an exploit. Because of a bug or design decision, files submitted in a comment to a repository get links that look like legitimate links in that repository and can pretend to be official releases. The link works even after the comment has been removed. More about the investigation: https://www.bleepingcomputer.com/news/security/github-comments-abused-to-push-malware-via-microsoft-repo-urls/
April 22: A discussion starts at oss-security about 83 Robot Operating System (ROS) vulnerabilities assigned CVEs and with something that looks like an incomplete communication with the project team. Start of the discussion: https://www.openwall.com/lists/oss-security/2024/04/23/2
April 23: LWN reports on a discussion about the architecture of Linux security module stacking, with Linus being against the completion of the work https://lwn.net/Articles/970070/
April 30: (*) Yocto Project 5.0 “scathgap” has been released. This is the new LTS of the project. Most key packages have been updated. Release notes are available from https://docs.yoctoproject.org/next/migration-guides/release-5.0.html
If you have an additional event to add, message me!
This blog post is published under CC-BY 4.0