Original post date: July 15, 2024
Last updated: July 17, 2024
This is my subjective choice of security events from June 2024 that might interest embedded developers.
For transparency, I mark with (*) events I have been involved with and events by organizations I’m involved with. I am also a guest author at LWN but I have not written any of the articles linked this month.
May 2024, but with updates in June and July: ghostscript 10.03.1 (released in May) is fixing a number of serious vulnerabilities, including arbitrary code executions, see release notes https://ghostscript.readthedocs.io/en/gs10.03.1/News.html ; Bleeping Computer is reporting that one of them is exploited in the wild https://www.bleepingcomputer.com/news/security/rce-bug-in-widely-used-ghostscript-library-now-exploited-in-attacks/
June 5th: Pangrid released an advisory https://www.pentagrid.ch/en/blog/ariane-allegro-hotel-check-in-terminal-kios-escape/ about kiosk mode exit in a specific hotel self-check-in system allowing anyone to come back to the main OS shell. Bleeping Computer is writing about this issue too: https://www.bleepingcomputer.com/news/security/check-in-terminals-used-by-thousands-of-hotels-leak-guest-info/
June 10th: ARM warns of an exploitation of a Mali GPU driver vulnerability, see the Bleeping Computer coverage https://www.bleepingcomputer.com/news/security/arm-warns-of-actively-exploited-flaw-in-mali-gpu-kernel-drivers/ Mali GPU is frequently used in embedded platforms.
June 11th: LWN reports on talks about securing BPF programs other than during the verification process https://lwn.net/Articles/977394/ from Linux Storage, Filesystem, Memory Management, and BPF Summit
June 12th: LWN reports on the new Linux system call mseal that prevents changes to a block of memory https://lwn.net/Articles/978010/
June 14th: (*) Embedded Open Source track program (part of of Open Source Summit Europe 2024) has been published https://events.linuxfoundation.org/open-source-summit-europe/program/schedule/
June 15th: ASUS warns of remote authentication bypass of a number of routers, with a firmware fix available as reported by BleepingComputer https://www.bleepingcomputer.com/news/security/asus-warns-of-critical-remote-authentication-bypass-on-7-routers/
June 19th: LWN published an article from Lee Jones from the Linux kernel CNA (CVE Numbering Authority, the group assigning CVEs). The article spawns discussion about how the process works and how it should work https://lwn.net/Articles/978711/
June 20th: Phones using outdated Android versions are a target of ransomware and espionage as reported by the research: https://research.checkpoint.com/2024/rafel-rat-android-malware-from-espionage-to-ransomware-operations/
June 20th: UEFI vulnerability in Phoenix SecureCore firmware detected https://eclypsium.com/blog/ueficanhazbufferoverflow-widespread-impact-from-vulnerability-in-popular-pc-and-server-firmware/ see also https://www.bleepingcomputer.com/news/security/phoenix-uefi-vulnerability-impacts-hundreds-of-intel-pc-models/
June 26th: the American cybersecurity agency CISA publishes a report on use of memory-unsafe languages in popular open source projects https://www.cisa.gov/sites/default/files/2024-06/joint-guidance-exploring-memory-safety-in-critical-open-source-projects-508c.pdf stating that many projects are written in memory-unsafe languages and that projects written in memory-safe languages have dependencies that aren’t. Conclusions that are of no surprise.
June 29th: BleepingComputer is reporting exploitation of DLink DIR 859 routers allowing full remote control of the device. Those routers are end-of-life, but still possible to buy online https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-d-link-dir-859-router-flaw-to-steal-passwords/ and the NVD record https://nvd.nist.gov/vuln/detail/CVE-2024-0769
June: New Android malware abusing the Linux kernel “seccomp” feature has been found in the wild https://promon.co/app-threat-reports/snowblind
end of June (*): The European Commission announced a series of consultation calls about definitions of various product categories on the list of important and critical products of the upcoming CRA (Cyber Resilience Act). The calls started on July 1st. I wrote a post about what to expect: https://www.eclipse.org/lists/open-regulatory-compliance/msg00117.html
If you have an additional event to add, message me!
This blog post is published under CC-BY 4.0