Original post date: August 5, 2024
Last updated: August 5, 2024
This is my subjective choice of security events from July 2024 that might interest embedded developers.
For transparency, I mark with (*) events I have been involved with and events by organizations I’m involved with. I am also a guest author at LWN but I have not written any of the articles linked this month.
June 25th to July 17th (*): European Commission consultations on definition of important and critical products. There has been one (or more) calls about each product type, including operating systems, firewalls, smart meters, connected toys and more. Note that those consultations are informal and there are no official minutes. Another round of consultations is expected in the autumn.
July 1st: Qualys researchers have discovered that the OpenSSH server has a race condition in signal handling in that could allow a remote code execution as root. This issue, called “regreSSHion” has been given CVE-2024-6387. It apparently applies to glibc-based systems only and has been fixed in the version 9.8. The researchers have published a detailed write-up: https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
July 1st: A new attack using branch prediction in Intel recent processors has been discovered. BleepingComputer has a writeup at https://www.bleepingcomputer.com/news/security/latest-intel-cpus-impacted-by-new-indirector-side-channel-attack/ with a link to the paper https://indirector.cpusec.org/index_files/Indirector_USENIX_Security_2024.pdf
July 1st: Cisco releases a fix for an already-exploited issue in their switches. The issue has been already used to install malware on switches. BleepingComputer reports at https://www.bleepingcomputer.com/news/security/cisco-warns-of-nx-os-zero-day-exploited-to-deploy-custom-malware/
July 4th: LWN writes about the work to allow faster generation of random data to userspace: https://lwn.net/Articles/980447/
July 9th: An attack on the RADIUS protocol allowing an authentication bypass https://www.blastradius.fail/attack-details. The RADIUS protocol is frequently used in telecom equipment. See also the writeup from BleepingComputer: https://www.bleepingcomputer.com/news/security/new-blast-radius-attack-bypasses-widely-used-radius-authentication/
July 10th: American agencies CISA (Cybersecurity and Infrastructure Security Agency) and FBI release a paper on best practices in elimination of OS command injection issues on multiple networking edge devices, with Python examples. https://www.cisa.gov/resources-tools/resources/secure-design-alert-eliminating-os-command-injection-vulnerabilities There have been multiple OS injection vulnerabilities in embedded devices in the recent years.
July 11th: CloudFlare releases their security report stating, among other facts, that they detect exploitations starting at 22 minutes after a CVE is released https://blog.cloudflare.com/application-security-report-2024-update
July 19th: The Crowdstrike incident brings down a number of systems running Windows, including kiosks at airports and the like. See my writeup https://ygreky.com/2024/07/what-can-embedded-developers-learn-from-the-crowdstrike-issue/ and hundreds of articles over the Internet. Crowdstrike has released a post-incident review at https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/
July 19th: LWN writes about work for restricted (and likely embedded) systems that will allow running only approved scripts https://lwn.net/Articles/982085/
July 23th: ISC releases a new Bind DNS server version of four high severity vulnerabilities CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, CVE-2024-4076: one of the vulnerabilities is a server instability after a flood of specific messages, see https://kb.isc.org/docs/aa-00913
July 23rd: After a disruption of heating services in Lviv, Ukraine, researchers find malware on industrial control systems, communicating over Modbus, see the writeup from DarkReading https://www.darkreading.com/ics-ot-security/novel-ics-malware-sabotaged-water-heating-services-in-ukraine
July 24th: TruffleSecurity shows that (by design) certain commits from private and deleted branches can be accessible to anyone https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github and my writeup https://ygreky.com/2024/07/deleted-your-fork-is-it-gone-not-really/ (short version: if you have ever committed any secrets to a GitHub repo, even private, change them now)
July 25th: Binarly research shows that at least 10 vendors use a test “DO NOT TRUST” secure boot key in their production devices https://www.binarly.io/blog/pkfail-untrusted-platform-keys-undermine-secure-boot-on-uefi-ecosystem
News: My new Embedded Security course has been announced. It is designed to help embedded developers to include security best practices in their day-to-day work. No need to be a security expert. For more information and signing-in, see https://ygreky.com/2024/07/announcing-the-embedded-security-course/
If you have an additional event to add, message me!
If you have received this newsletter as a forwarded message, you can subscribe.