Embedded Systems

 

A TIMESYS DEEP DIVE

 

April 2024

Cybersecurity in the news

Urgent Security Alert: High-Risk Backdoor in XZ Utils Affecting SSH Authentication

This newly reported vulnerability represents a significant supply chain attack, particularly concerning due to its ability to intercept SSH authentication data.

The CVE-2024-3094 attack involves malicious alterations made to the upstream tarballs of the XZ Utils library by a once-trusted developer. These changes specifically target liblzma code, creating a backdoor during the build process.

System Susceptibility: The vulnerability affects any system using the compromised versions of XZ Utils, posing risks of unauthorized data modification and interception. Developers and security teams should prioritize applying patches and closely monitoring version control and build processes.

 

 

 

 

With an average of 420 new CVEs every week, how do you cut through the noise and take action on the vulnerabilities that pose the largest threat to your device?

We launched the Timesys CVE Dashboard and update it weekly with details on the dangerous security vulnerabilities that could be affecting your device.

EU Cyber Resilience Act Advances

Key Updates from the EU CRA and New Obligations for Digital Product Manufacturers

The European Union has reached a consensus on the Cyber Resilience Act, setting the stage for significant changes in cybersecurity regulations for products with digital elements.

The act emphasizes quick vulnerability disclosure, stringent security incident notifications, and due diligence for imported digital products. The phased implementation of the EU CRA begins in late 2025, with full obligations enforced by early 2027.

Starting in late 2025, manufacturers and importers will face new obligations including:

  • Obligations for manufacturers and importers of “products with digital elements” (“PDEs”) – a category which is defined broadly to include both hardware and software products.
  • Designing PDEs to meet certain essential cybersecurity requirements through risk assessment and protection against known vulnerabilities.
  • Submitting PDEs to conformity assessments.
  • Notifying identified vulnerabilities (within 24 hours) to the relevant national cybersecurity authority, the entity that maintains the vulnerable PDE and, potentially, ENISA.
  • Notifying severe security incidents to ENISA, the relevant national cybersecurity authority, and users of the PDE.
  • Conducting due diligence on imported PDEs.

These measures aim to enhance the security of both hardware and software products sold within the EU.

Timesys and ICS Webinar Recap

Unlock the Secrets to Medical Device Compliance: Webinar Replay Available!

In our continuous effort to align with industry standards and regulatory requirements, Lynx is releasing a reference SBOM for MOSA.ic using Vigiles.

If you couldn’t attend our recent webinar with ICS, here’s your chance to discover essential strategies for managing vulnerabilities in medical devices. We covered the critical aspects of vulnerability management, from identification through mitigation, and discussed the importance of SBOMs in regulatory compliance. Ensure your medical device development meets the rigorous demands of the FD&C PATCH Act.

Watch the Recording: Dive deep into the complexities of medical device cybersecurity. Gain expert insights on how to navigate these challenges and ensure compliance with the latest FDA regulations.

When you register to watch the above webinar recording, you’ll also get:

  • A copy of the webinar presentation to quickly bring your team up-to-speed on the new regulations for medical devices, ratifications of section 524B of the FD&C PATCH Act, best practices for becoming compliant, and methods to effectively manage CVEs and SBOMs.
  • A complete Q&A document that centralizes the questions everyone asked during the webinar and following it.
  • A workbook guide to advance your learning and note-taking during the webinar and streamline processing the essential information shared on the critical subject of medical device cybersecurity.

New Threat Advisory

ACIDPOUR MALWARE THREATENS LINUX SYSTEMS – DISCOVER DEFENSIVE STRATEGIES TO PROTECT YOUR INFRASTRUCTURE

AcidPour represents a major evolution in the cyber threat landscape, with specific design to attack Linux systems on x86 architecture. A more potent variant of the notorious AcidRain, this malware specifically targets Linux systems, exploiting vulnerabilities with unprecedented efficiency. By combining destructive techniques seen in previous malware forms, this variant is able to target a broader array of devices.

The discovery of AcidPour underlines the critical need for continuous vigilance and robust cybersecurity frameworks.

Discover How to Secure Your Systems

Timesys VigiShield offers a robust defense against evolving cyber threats like AcidPour. Delve into the importance of preventative measures and the advanced security solutions available to protect critical infrastructure from such malicious attacks.

New Blog Alert

From Linux Binaries to Security: Unlocking the Power of SBOMs in CVE Scanning Without Source Code

Timesys-India-Team-Goa

Navigating the complexities of open source software maintenance is critical, especially when source code is not readily available. Our latest blog explores how you can generate a Software Bill of Materials (SBOM) from Linux binaries using the cve-bin-tool, enabling you to identify and manage vulnerabilities effectively. Understand the vital role of SBOMs in scanning for Common Vulnerabilities and Exposures (CVEs) and enhancing your cybersecurity measures.

Dive into the process of SBOM generation and learn how to leverage this tool for better security management of your software.

Lynx and Timesys at Aerospace TechWeek

Advancing Mission-Critical Software Solutions

timesys embedded board farm zombies<br />

Lynx Software Technologies, alongside Timesys, made a significant impact at Aerospace TechWeek in Munich, discussing crucial advancements in Linux systems for aerospace applications. Highlighting the journey towards adopting the best of Linux without compromising system safety and security, the event was a showcase of Lynx’s commitment to meeting stringent aerospace standards, particularly in vulnerability patch management.

Michel Genard of Lynx Software Technologies also delivered a compelling talk at the event, diving into the technical research surrounding the Component Specification Model (CSM) to enhance the Aviation Mission Computing Environment. His insights on customer feedback and market analysis underscored the potential for creating reusable software that meets the exacting demands of mission-critical systems.

Introducing Vigiles-CLI

Revolutionize Your SCA Workflow with Vigiles-CLI: Seamless Integration and Enhanced Security

timesys embedded board farm zombies<br />

Vigiles-CLI, our latest innovation in Software Composition Analysis (SCA), is designed to seamlessly integrate with your CI/CD workflows, enhancing the generation and management of SBOMs across different ecosystems, including embedded Linux devices. By partnering with third-party tools like syft, Vigiles-CLI not only streamlines the SBOM generation process but also significantly reduces false positives, making your vulnerability management more efficient and reliable.

Dive into the streamlined world of Vigiles-CLI and see how it can improve your security operations. Detailed setup instructions, usage tips, and configuration options are all covered in our comprehensive guide.

Vulnerability Management for Embedded

May 23 @ 12 PM EDT / 9 AM PT

In this monthly live webinar and Q&A session, you’ll learn essential ways to avoid a five-figure mistake along with:

– Why you need to manage your open-source software risks 
– How to generate an accurate SBOM (Software Bills of Materials) and why it matters
– Tools and techniques to monitor and remediate vulnerabilities in your SBOM
– And much more!

Tools & Techniques to Monitor and Remediate Vulnerabilities in Your SBOM

Learn More

NVD Processing Delays: The Ripple Effect Through the Cybersecurity Landscape

March 2024

NVD Processing Delays: The Ripple Effect Through the Cybersecurity Landscape

Critical Zero-Day Vulnerability

February 2024

Critical Alert: “Leaky Vessels” Vulnerability Threatens Container Isolation Across Docker and runc

PixieFail: 9 Vulnerabilities in Tianocore’s EDK II IPv6 Network Stack

January 2024

PixieFail: 9 Vulnerabilities in Tianocore’s EDK II IPv6 Network Stack

Windows and Linux devices can be hacked by malicious logo images

December 2023

Windows and Linux devices can be hacked by malicious logo images