A Timesys Deep Dive Embedded Systems Newsletter

December 2022

Cybersecurity in the news:

PATCH IMMEDIATELY: Critical Local Privilege Escalation Vulnerability Found in Linux Kernel

According to Linux Security, this use-after-free vulnerability in Linux Kernel published by Redhat allows for local privilege escalation.

“This vulnerability is referred to be a use-after-free problem, and it can be found in io uring on the Update of Reference Count. io uring is an interface for making system calls in Linux. It made its debut for the very first time in the mainline Linux Kernel version 5.1 in the year 2019. It gives an application the ability to start system calls that may be carried out in an asynchronous manner. 

A Use-After-Free vulnerability and a Local Privilege Escalation may be caused in the Linux kernel by incorrectly updating the reference count in the io uring function.”

Need more info on these vulnerabilities?

With an average of 420 new CVEs every week, how do you cut through the noise and take action on the vulnerabilities that pose the largest threat to your device?

We launched the Timesys CVE Dashboard and update it weekly with details on the dangerous security vulnerabilities that could be affecting your device.

Take me to the CVE Dashboard


SPDX SBOM Support Added to Vigiles alongside New Features, Changes, and Bug Fixes

In the newest Vigiles update released earlier this month, Timesys implemented some exciting new features such as an option to apply a note to all CVEs when whitelisting a package or to receive an alert when a new package is added to a chain of linked SBOMs!

New Vigiles features also include: 

  • SPDX: Add support for downloading SBOMs in SPDX-lite format
  • SPDX: Add homepage to SPDX SBOM
  • CVE Report: Add an option to apply a note to all CVEs when whitelisting a package
  • Alerts: Add an option to receive an alert when a new package is added to a chain of linked SBOMs

Additional changes that were implemented included:

  • SBOM editor: Redirect to the latest report if the only change was to licenses instead of generating a new report
  • SBOM editor: Show license changes in the summary modal
  • CVE search: Remember the selected search type
  • CVE report: Improve page load time

And Bug Fixes for Vigiles were as follows:

  • Search SBOMs: Remove duplicate package entries
  • Notifications: Fix an error that prevented some notifications from being emailed

Holiday Special

On the 25th Day of Christmas, my computer sent to me: The Timesys Advent Calendar~♫

In honor of the holidays, Timesys hosted an Advent Calendar throughout December featuring security tips, tools, and tricks to help you get more secure in anticipation of the New Year. Missed the webinar series on designing OTA updates for secure embedded Linux systems or the Timesys eBook on cybersecurity? You can catch up on each of the holidays gifts at the Timesys Advent Calendar page below!

In addition, we’re excited to share that the Lunch & Learn opportunity is being extended through the end of January. If you’re not sure where to start when it comes to securing your products, embedded Linux devices, or customizing Yocto, or you’re looking to refresh your company on best security practices in the New Year, a Lunch & Learn is a great and simple way to start! To get started with setting up a customized Lunch & Learn session for you and/or your company, click the link below! 

Jump Start Service

Jump Start Training: Get a JUMP on Your Embedded Linux Development.

Ready to get answers to your questions about how to get started with Yocto Project or Timesys Factory, setting up your embedded Linux development environment, and booting a dev kit in the New Year? Until the end of January, if you reserve your Jump Start training now for anytime in 2023, you will get a half-price discount on the per-trainee rate, for up to five people! 

The Timesys Jump Start Service is a tailored program through which a Timesys engineer works with you and your team to deliver a customized, two-day embedded Linux training with hands-on exercises based on your application requirements. The Timesys Jump Start Service — which is typically delivered for a maximum of two people — begins with a review of your project and identification of your mini goal(s), after which we customize hands-on exercises, set up a training agenda, and work with you to accomplish your mini goals.

Introduction to Containers on Embedded Linux

Learn with Timesys

How can containers help solve a myriad of problems, including enabling legacy applications to run on newer embedded targets?

In our newest blog, learn how containerized applications have been a common solution in the server and even desktop space for quite a while and how they can be leveraged in embedded projects to help decouple application development from the development of the embedded platform itself in timelines, teams, and tools. They can even allow application developers to work on desktop or workstation targets, then later deploy to the actual target hardware.

Learn more about Linux Polkit

Vulnerability Management for Embedded

Tools & Techniques to Monitor and Remediate Vulnerabilities in Your SBOM

January 19 @ 12 PM EDT / 9 AM PT

In this monthly live webinar and Q&A session, you’ll learn essential ways to avoid a five-figure mistake along with:

– Why you need to manage your open-source software risks
– How to generate an accurate SBOM (Software Bills of Materials) and why it matters
– Tools and techniques to monitor and remediate vulnerabilities in your SBOM
– And much more!


Subscribe to our newsletter so you don’t miss a thing.