Original post date: June 5, 2024
Last updated: July 17, 2024
This is my subjective choice of security events from May 2024 that might interest embedded developers.
For transparency, I mark with (*) events I have been involved with and events by organizations I’m involved with. I am also a guest author at LWN.net, but I have not written any of the articles linked this month.
May 2: an article about secure randomness in Go 1.22: https://go.dev/blog/chacha8rand
May 6: an advisory about a generic flaw in VPN design has been revealed. An attacker can use a specific DHCP (Dynamic Host Configuration Protocol) message to add a route to the host that causes traffic to be sent in the attacker-controlled direction, unencrypted. The issue has been published before, but the current generation of VPNs is still vulnerable: https://www.leviathansecurity.com/blog/tunnelvision
May 7: GCC version 14 has been released with important improvements in static analysis, including -fhardened flag. Details in the blog post https://developers.redhat.com/articles/2024/04/03/improvements-static-analysis-gcc-14-compiler# and release notes: https://gcc.gnu.org/gcc-14/changes.html
May 8: LWN publishes an article on gittuf – a tool to add a security layer to git https://lwn.net/Articles/972467/
May 12: Linux kernel 6.9 released, including (among other changes): a fix for x86 hardware issue “register file data sampling” present in Intel Atom, BPF token mechanism, timer subsystem rework, and Rust on 64-bit Arm processors. The “ext2” module is deprecated. LWN coverage: https://lwn.net/Articles/965141/ and https://lwn.net/Articles/965541/
May 13: nghttp2 release 1.62.0 with a number of fixes https://github.com/nghttp2/nghttp2/releases/tag/v1.62.0
May 14: A detailed advisory was released about multiple security issues and remote execution in some D-Link routers; details: https://ssd-disclosure.com/ssd-advisory-d-link-dir-x4860-security-vulnerabilities/
May 15: Ars Technica covers a report on the Ebury backdoor that affected Linux kernel infrastructure: https://arstechnica.com/security/2024/05/ssh-backdoor-has-infected-400000-linux-servers-over-15-years-and-keeps-on-spreading/
May 16: Intel publishes a detailed article on hardware features and speculative execution behavior. Speculative execution has been involved in several hardware security issues in recent years https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/hardware-behavior-related-to-speculative-execution.html
May 28 (*): An advisory published with multiple issues in Eclipse ThreadX (formerly Azure RTOS) https://security.humanativaspa.it/multiple-vulnerabilities-in-eclipse-threadx/. The same researcher has recently published advisories for other RTOSes (Real-time Operating Systems)
May 29: NVD (National Vulnerability Database) published an announcement stating that they had contracted additional personnel to deal with the vulnerability backlog “by the end of the fiscal year” (likely September). The NVD has been producing very limited vulnerability data since mid-February https://www.nist.gov/itl/nvd
May 30: ngnix web server release with security fixes for HTTP/3 support (CVE-2024-31079, CVE-2024-32760, CVE-2024-35200, CVE-2024-34161) https://mailman.nginx.org/pipermail/nginx-announce/2024/GMY32CSHFH6VFTN76HJNX7WNEX4RLHF6.html
If you have an additional event to add, message me!
This blog post is published under CC-BY 4.0
