A Timesys Deep Dive Embedded Systems Newsletter

April 2023

Cybersecurity in the News: "Remote Code Execution CVE Patched in Version 12.7.1"

According to CVE Details, “sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c.”

“The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE).”

But there’s good news to be had as well! This CVE has been patched in version 12.7.1. 

Need more info on these vulnerabilities?

With an average of 420 new CVEs every week, how do you cut through the noise and take action on the vulnerabilities that pose the largest threat to your device?

We launched the Timesys CVE Dashboard and update it weekly with details on the dangerous security vulnerabilities that could be affecting your device.

Take me to the CVE Dashboard

Cybersecurity News

FDA Amends Omnibus Act to Ensure Cybersecurity of Medical Devices

Is your medical device at risk of being rejected starting Oct 1st?

If you rely on “freeze and release” strategy, or worse, have no formal strategy for ensuring “that [your] device and related systems are cybersecure” then you could be in for a rough time.

This all stems from the FDA update to the FD&C Act (Federal Food, Drug, and Cosmetic Act) released at the end of last month, shortly after the Whitehouse released a National Cybersecurity Strategy to “rebalance the responsibility to defend cyberspace” and “realign incentives to favor long-term [security] investments.” The FDA “will begin to ‘refuse to accept’ medical devices and related systems over cybersecurity reasons beginning Oct. 1. All new device submissions must include detailed cybersecurity plans beginning March 29.”

What does this mean for the cybersecurity and embedded communities?

Are you ready to “submit plans to monitor, identify and address in a “reasonable timeframe” any determined post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosures and plans”? How about including an SBOM submission to the FDA “to demonstrate reasonable assurance that the device and related systems are cybersecure”?

If you already have a system in place that shows, with reasonable assurance, “that the device and related systems are cybersecure” and that you’re able to create justified, regular post-market updates and patches to the device and connected systems that address “known unacceptable vulnerabilities,” then you’re all set!

But if you need to modify your cybersecurity strategy in a short amount of time, don’t have the embedded Linux expertise to approve a maintenance plan, or the in-house resources and manpower to keep your devices secure for their entire 10+ year product life cycle, then try our long-term Linux OS and BSP Maintenance.

The 4-day crash course will begin on Tuesday, March 7th. If you miss a day, no worries! We’ll be sending daily recordings of the sessions to anyone that registers along with bonus materials.

CVE Monitoring & Mitigation

How Does Vigiles Help Keep You Ahead of Vulnerabilities?

Did you know that in 2022, over 25 thousand new common IT security vulnerabilities and exposures (CVEs) were discovered – the highest reported annual figure to date? With over 450 new CVEs uncovered each week, it can seem like an impossible feat to stay on top of security needs for your products.

Vigiles is a CVE monitoring and mitigation and an SBOM management tool that helps keep your team ahead of the ever-evolving cybersecurity industry and new regulation mandates. Just one of Vigiles’ many features is automatic alerts for non-authorized license type and for CVEs exceeding CVSS score threshold, assisting you with policy management.

Vigiles CVSS Alerts help ensure that developers do not introduce packages with high/critical CVEs into your product software. The Vigiles License Alerts let you identify or flag license violations with the company policy, such as a package with an unapproved license being installed on target device, helping your team stay in compliance with policy enforcement. You can choose to receive notification of CVSS and License alerts via email or to have an issue created in Jira.

Additionally, Vigiles provides up to 40% accuracy improvement over the National Vulnerability Database (NVD) with Timesys’ curated CVE/CPE database. With Vigiles, you can rest easy knowing that you won’t get blindsided by CVEs in your products.

4-Day Crash Course

APAC & EMEA: Timesys hosting the “Sick and Tired of Vulnerabilities” Embedded Linux Yocto Developer SBOM & CVE Webinar Crash Course

The Timesys 4-day crash course webinar series on how to combat false-positive CVEs, bad SBOM data, and a tedious mitigation process was so popular, that we’re excited to announce we will be hosting it again in APAC and EMEA time zones!

Across the four days, in less than an hour each day, we’ll go over:

  • Different SBOM options, how you can generate them, and which methods and formats actually matter for embedded Linux devices
  • How to master the data presented in CVE listings, find all the relevant and related information, know what to look out for in the data that will mess up your process, and keep up with new CVEs
  • A three-step process for prioritizing vulnerabilities with frameworks for efficiently classifying your CVEs, and a workflow that you can use for your initial triage and ongoing maintenance as well
  • And how to leverage automation and see what kind of impact your tool choice has on your process

The 4-day crash course for APAC and EMEA will begin on Monday, May 29th. If you miss a day, no worries! We’ll be sending daily recordings of the sessions to anyone that registers along with bonus materials.

You can find out more details about the series and save your free seat below:

Thursday Tech Tip

Thursday Tech Tip: Kernel Panic (at the disco)

For this month’s Thursday Tech Tip, one of our engineers was asked how to reproduce a kernel crash and diagnosis the issue:

When encountering a kernel panic error message, an important first-step to take is to identify the root cause in order to prevent future occurrences. The virtual address provided in the error message can help trace the driver impacting the current kernel panic.

How can you analyze the root cause? By loading kernel modules in the default order, using their code size, and observing their load address, you can calculate which module text segment resides at the virtual address. Subtracting the virtual address from the module load address gives the offset into the module binary of the instruction that caused the panic.

With objdump on the kernel module binary, search for that offset and check which function it belongs to. This should point to the function and even line number of the instruction that caused the panic.

Additionally, in order to capture an “oops!” from startup to the serial console, use ftrace at boot and place the necessary parameters on the kernel command line.

For example: 
root=/dev/mmcblk0p5 rootwait rw console=ttyS3,115200 ftrace=function ftrace_dump_on_oops

When the “oops!” occurs, the ftrace buffer will be automatically dumped on the console message.

Have a Tech Tip question for our team of expert engineers? Ask away and we’ll feature it in the next newsletter:

Learn with Timesys

Is vulnerability management a regular part of your product management?

(Spoiler alert: It better be.)

What is Cybersecurity Whack-a-Mole?

There’s an old saying in the enterprise IT security space: “The good guys need to get it right every time. The bad guys need to get it right only once.” What does this mean for an enterprise IT department’s cybersecurity defenses? How do you stay on top of vulnerabilities and ahead of security risks? This blog discusses the importance of vulnerability management and outlines an effective risk mitigation process.


Events Around the World You Don’t Want to Miss

NXP Americas DFAE Technical Training Partner Reception

Renaissance Austin Hotel in Austin, Texas – May 17

The NXP Americas DFAE Technical Training event equips you with the expertise needed to support customers on the latest cybersecurity technologies. This week-long event focuses heavily on hands-on workshops, in-depth product training, live demonstrations, and strategic presentations from NXP leadership. Join Timesys for an exciting discussion on how to rethink and overcome cybersecurity challenges!

Unraveling the Mysteries of Securing Keys: Leveraging PKCS#11 with OP-TEE for Securing IoT Keys and Certificates on i.MX93

Timesys & NXP Live Webinar 11AM (EST) on May 24

With multiple software- and hardware-based solutions to securely store and use keys and certificates on IoT devices, it can be a challenge to determine which is the best practice to implement. Join NXP and Timesys for a webinar that explores PKCS#11, a standard for secure key and certificate storage that has been around since 1995 and is widely used in the Enterprise Service and PC World, and discover how you can leverage PKCS#11 with OP-TEE on the i.MX platforms to ensure your keys and certificates are properly secured

Vulnerability Management for Embedded

Tools & Techniques to Monitor and Remediate Vulnerabilities in Your SBOM

May 18 @ 12 PM EDT / 9 AM PT

In this monthly live webinar and Q&A session, you’ll learn essential ways to avoid a five-figure mistake along with:

– Why you need to manage your open-source software risks 
– How to generate an accurate SBOM (Software Bills of Materials) and why it matters
– Tools and techniques to monitor and remediate vulnerabilities in your SBOM
– And much more!


Subscribe to our newsletter so you don’t miss a thing.