A Timesys Deep Dive Embedded Systems Newsletter

May 2023

Cybersecurity in the News: "Barracuda Customer Email Security Breach Due To Zero-Day Vulnerability and Mali GPU Kernel Driver Compromised "

CVE-2023-2868

According to CRN, “Some Email Security Gateway customers [of Barracuda] were impacted by a breach last week that exploited a zero-day vulnerability in the appliance.” CRN goes on to explain, “The investigation so far has found that the vulnerability ‘resulted in unauthorized access to a subset of email gateway appliances.’ Affected [Barracuda] customers have been notified.

The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE).”

This vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives) and stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive.

Need more info on these vulnerabilities?

CVE-2022-46396

In addition to the above CVE, this Mali GPU Kernel Driver CVE can allow improper GPU memory processing operations. With this CVE, a non-privileged user can make improper GPU memory processing operations to access a limited amount outside of buffer bounds. The good news is that this issue is fixed in Valhall and Avalon GPU Kernel Driver r42p0!

With an average of 420 new CVEs every week, how do you cut through the noise and take action on the vulnerabilities that pose the largest threat to your device?

We launched the Timesys CVE Dashboard and update it weekly with details on the dangerous security vulnerabilities that could be affecting your device.

Take me to the CVE Dashboard

Cybersecurity News

Could you be held liable for a security breach for a device you are manufacturing and selling?

If you haven’t heard already, the Whitehouse released a National Cybersecurity Strategy to “rebalance the responsibility to defend cyberspace” and “realign incentives to favor long-term [security] investments.”

What does this mean for the cybersecurity and embedded communities?

In essence, this new strategy issued by the President moves the responsibility for defending cyberspace away from individuals and onto the organizations and stakeholders most capable of taking action to prevent security risks. That means manufacturers, developers, and software publishers like you are now the stewards of embedded IoT device security.

Click the video above or the button below to learn more about what this strategy highlights and what you can do to stay ahead of compliance and regulation mandates such as these.

Custom distribution and maintenance of it

Regardless of your embedded Linux build, you have to maintain your OS and BSP to stay ahead of security threats

The outdated strategy of “freeze and release” — freezing a device’s software at product launch with no plan or process to update it in the field — puts devices at high risk of security compromise. Whether you use Yocto Project, Buildroot, or Timesys Factory build system, regular upgrades are needed to ensure device security, to apply bug fixes, and to support newer hardware and technologies.

Our Linux OS/BSP Maintenance subscription service provides long-term security updates and maintenance of your Linux OS/BSPs and is available for Yocto Project, Buildroot, and Timesys Factory build systems.

Long-Term Linux OS & BSP Maintenance provides:

  • Regular updates that include bug fixes, support for new end-of-life parts, and new package features
  • Less than half the cost of a junior engineer and frees up your resources so you can work on next-gen products
  • Automated documentation of fixed vulnerabilities between releases to boost industry compliance
  • Joint review and analysis to identify CVEs that pose the highest risk
  • An emergency release in case of a zero day vulnerability

All at less than half the cost of a junior engineer, so you can free up your resources to work on next-gen products!

4-Day Crash Course

APAC & EMEA: Last day of the “Sick and Tired of Vulnerabilities” Embedded Linux Yocto Developer SBOM & CVE Webinar Crash Course

The Timesys 4-day crash course webinar series in APAC and EMEA time zones on how to combat false-positive CVEs, bad SBOM data, and a tedious mitigation process is coming to an end! 

If you haven’t yet, now is your last chance to join in and get access to the last day’s session and recordings of the previous four days! Across the four days, in less than an hour each day, you’ll learn:

  • Different SBOM options, how you can generate them, and which methods and formats actually matter for embedded Linux devices
  • How to master the data presented in CVE listings, find all the relevant and related information, know what to look out for in the data that will mess up your process, and keep up with new CVEs
  • A three-step process for prioritizing vulnerabilities with frameworks for efficiently classifying your CVEs, and a workflow that you can use for your initial triage and ongoing maintenance as well
  • And how to leverage automation and see what kind of impact your tool choice has on your process

Anyone that registers will receive daily recordings of the sessions along with bonus materials.

You can find out more details about the series and save your free seat below:

Learn with Timesys

Designing Yocto platforms for scalability and maintainability across product lines

Scaling software development is a perennial problem. As product lines grow, maintenance costs for device manufacturers can increase dramatically when software is ported and reused from one product to the next. This can balloon into major issues like security vulnerability duplication, increased testing, and difficulty getting new products up and running. This blog discusses the importance of scalability and maintainability across product lines and how to achieve it.

Upcoming

Events Around the World You Don’t Want to Miss

Strengthening IoT Security on i.MX9: Unveiling the Power of Secure Boot, Chain of Trust, and IP Protection on Linux-based Devices

Timesys & NXP Live Webinar

June 29 

As Linux-based IoT devices become increasingly prevalent in various industries, ensuring robust security measures has become paramount. In this webinar, we will explore the trifecta of secure boot, chain of trust, and intellectual property (IP) protection on Linux-based IoT devices, providing you with the knowledge and tools to safeguard your IoT deployments.

Join us as we delve into the intricacies of secure boot, chain of trust, and IP protection, and learn how to leverage i.MX9 hardware capabilities to achieve the same.

Vulnerability Management for Embedded

Tools & Techniques to Monitor and Remediate Vulnerabilities in Your SBOM

June 15 @ 12 PM EDT / 9 AM PT

In this monthly live webinar and Q&A session, you’ll learn essential ways to avoid a five-figure mistake along with:

– Why you need to manage your open-source software risks
– How to generate an accurate SBOM (Software Bills of Materials) and why it matters
– Tools and techniques to monitor and remediate vulnerabilities in your SBOM
– And much more!

 

Subscribe to our newsletter so you don’t miss a thing.