A Timesys Deep Dive
Embedded SystemsSeptember 2023
WHAT’S INSIDE
- Cybersecurity news: “Critical Zero-Day Vulnerability” Recently Disclosed In The Webp Image Library and 7 More Vulnerabilities Exposed
- Medical Device Manufacturers, Are You Ready to Secure Your Empire?
- PSA Certified Components Streamline the Process of Integrating Security Measures into IoT Devices, Save Time, And Resources for Manufacturers
- If you’re struggling with Linux OS and BSP security maintenance, engage companies who can bridge your resource gap by maintaining Linux OS security for you
- Complying with New Government SBOM Requirements and Compliance Regulations for Device Manufacturers with Vigiles
- Learn with Timesys: Do you have legacy applications that need to run on newer embedded targets without having to include multiple, outdated versions of all their dependencies?
- From Regulatory Uncertainty to Expertise: Mastering Cybersecurity Compliance in Medical Device Development, Even if You’re New to Compliance or Dealing with Limited Resources
Cybersecurity in the news "Critical Zero-Day Vulnerability" Recently Disclosed In The Webp Image Library and 7 More Vulnerabilities Exposed
CVE-2023-41993This vulnerability allows code execution in processing web content and has been reported as exploited in the wild.
Also known as 0day in WebP, this vulnerability “poses a significant security risk across numerous software applications and platforms.” It was originally reported by Apple and Citizen Lab and tracked as CVE-2023-4863, specific to Google Chrome, but “has since been reclassified as CVE-2023-5129 and correctly attributed as a flaw in libwebp with a maximum 10/10 severity rating.”
Need more info on these vulnerabilities?
CVE-2023-39928
This is a use-after-free vulnerability in the MediaRecorder API that could lead to memory corruption. A specially crafted webpage can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution. A user would need to visit a malicious webpage to trigger this vulnerability.
Read the WebKitGTK and WPE WebKit Security Advisory Here
Not currently listed on the NVD
CVE-2023-35074
This is vulnerability is a memory handling issue that could enable code execution. While this issue is fixed in tvOS 17, Safari 17, watchOS 10, iOS 17 and iPadOS 17, macOS Sonoma 14, the NVD listing states that it is currently under reanalysis, which may result in further changes to the information provided.
Need more info on this vulnerability? Check it out here
CVE-2023-39434
Similar to the above, this is a use-after-free vulnerability that could result in code execution. It is fixed in iOS 17 and iPadOS 17, watchOS 10, macOS Sonoma 14, however it is currently under reanalysis, so the information may change.
Need more info on this vulnerability? Check it out here:
CVE-2023-40451
This CVE is an improper iframe sandbox enforcement that enables potential code execution. It has been addressed with improved iframe sandbox enforcement and is fixed in Safari 17. However, an attacker with JavaScript execution may be able to execute arbitrary code.
Need more info on this vulnerability? Check it out here
CVE-2023-41074
In this CVE, a lack of input validation checks exposes a code execution vulnerability. This issue is fixed in tvOS 17, Safari 17, watchOS 10, iOS 17 and iPadOS 17, macOS Sonoma 14.
Need more info on this vulnerability? Check it out here:
CVE-2023-5197
This use-after-free vulnerability in the Linux kernel’s netfilter: nf_tables component can be exploited to achieve local privilege escalation. Adding and removing rules from chain bindings within the same transaction can lead to use-after-free. Git.Kernel recommends upgrading to resolve this issue.
Need more info on this vulnerability? Check it out here
CVE-2023-4921
This use-after-free vulnerability in the Linux kernel’s net/sched: sch_qfq component can also be exploited to achieve local privilege escalation. When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue(). Users are also recommended to upgrade in order to resolve this issue..
Need more info on this vulnerability? Check it out here
With an average of 420 new CVEs every week, how do you cut through the noise and take action on the vulnerabilities that pose the largest threat to your device?
FDA New “Refuse-to-accept” policy
Medical Device Manufacturers, Are You Ready to Secure Your Empire?
Did you know that beginning October 1st, the FDA will begin to reject or “refuse to accept” submissions that do not include information on the four new FDA cybersecurity requirements for medical devices? This is the FDA’s new refuse-to-accept (RTA) policy, just one piece of their new medical device manufacturer regulations added under Section 524B of the FD&C Act.
The 4 new FDA cybersecurity requirements for medical devices include:
1.Postmarket monitoring
2.Device updates
3.Software Bill of Materials (SBOMs)
4.regulatory compliance requirements.
You can find out more about what is needed to pass the FDA’s RTA policy and get your medical device submissions accepted by clicking the button below:
PSA Certified VigiShield Secure By Design
PSA Certified Components Streamline the Process of Integrating Security Measures into IoT Devices, Save Time, And Resources for Manufacturers
One of the most effective ways to reduce the cost of security development, improve security posture, and bring secure devices to market faster is by leveraging off-the-shelf pre-certified components. Platform Security Architecture (PSA) Certified provides a framework for security assessment and certification of processors, system software (e.g: Linux OS, RTOS), and devices evaluated by independent labs.
The PSA Certified framework breaks down security design and implementation into a simple four-step process that involves:
- Analyzing the threats that have the potential to compromise your device and generate a set of security requirements based on these risks.
- Architect: Use your unique security requirements to identify and select hardware and firmware components and specifications that allow you to architect the right level of security for your product.
- Implementing the trusted components and firmware, making use of high-level APIs to build-in security and create an interface to the hardware Root of Trust (RoT).
- Certifying your device, system software platform or silicon, and demonstrate your commitment to security best practice following independent security evaluations.
Device manufacturers can leverage PSA Certified components (processor and system software) to quickly start with a secure platform and focus on their value add software. They can also submit their devices for certification to give the end consumer peace of mind. Most importantly, PSA Certified components align with meeting industry security standards.
Our VigiShield Secure by Design security offering is PSA Certified Level 1: system software certification. VigiShield leverages widely used open source technologies, enables underlying hardware capabilities for best performance, and implements the security best practices recommended by regulatory and industry-specific bodies (FDA, MDR, IEC, etc). VigiShield can also be configured to meet current customer and regulatory requirements, such as NISTIR 8259A and ETSI EN 303 645.
Out of the box, VigiShield includes security features such as software integrity (secure boot and chain of trust), secure storage, secure over-the-air (OTA) updates, Linux kernel and system hardening, secure communication, locked hardware ports, security audit logs and more.
Challenges of Long-Term Maintenance Made Easy
If you’re struggling with Linux OS and BSP security maintenance, engage companies who can bridge your resource gap by maintaining Linux OS security for you.
Kees Cook, a Linux security expert and Google security engineer, illustrated the challenges in maintaining the security of the Linux kernel in a Google Security Blog. One of the main takeaways was, “If you’re not using the latest kernel, you don’t have the most recently added security defenses (including bug fixes).”
Going the “upstream first” route is the absolute best way of keeping the kernel secure. However, it is only part of the story. The challenges faced by device manufacturers running on Linux on embedded devices is vastly different.
Most device manufacturers rely on the semiconductor vendor-provided Linux kernel as part of the Board Support Package (BSP), in particular for non-x86 devices. In the interest of going to market early, the semiconductor vendors typically freeze a version of the upstream kernel and add their patches to support their System On Chip (SoC) / Processor.
Now the device manufacturers are stuck on a version of the Linux kernel that no longer receives security or bug fixes, whereas the fixes are made available in both the stable and long term supported (LTS) upstream kernel releases. In order to get these fixes, the device manufacturer now has to apply the semiconductor vendor patches (varies from 10s to 10000s) on top of the upstream kernel, which tend to result in conflicts that are difficult to resolve.
Once the conflicts are resolved, testing the updated kernel poses a whole another set of challenges where all the sub-systems and drivers need to be retested to ensure they did not break anything.
Now imagine doing this over and over every week, because on average, that is how frequently a new version of the LTS kernel is released!
Vigiles SBOM Manager
Complying with New Government SBOM Requirements and Compliance Regulations for Device Manufacturers with Vigiles
Struggling to keep up with all the new federal cybersecurity and SBOM regulations rolled out across the United States and Europe, from the National Cybersecurity Strategy and FDA “refuse-to-accept” policy to the EU Cyber Resilience Act (CRA)?
We’ve heard you and incorporated revolutionary updates to Vigiles, our SBOM generation and management and vulnerability monitoring and remediation tool, to empower you to seamlessly meet and comply with evolving global requirements for security in embedded products.
These brand-new Vigiles features are specifically tailored to alleviate the challenges faced by medical device, automotive, and industrial manufacturers working with federal regulations and compliance mandates.
These Key New Vigiles SBOM features include:
- Generate NTIA-Compliant SBOMs for Your Yocto-Based, Buildroot, and OpenWRT Systems: Seamlessly integrate SBOM generation into your CI/CD pipeline, ensuring continuous monitoring of component changes and vulnerabilities.
- Verify Your SBOMs with NTIA Minimum Element Conformance Check: Easily verify if your SBOMs meet the NTIA minimum element conformance standards and ensure your products adherence to the latest cybersecurity guidelines.
- Get Real-time Compliance Alert Notifications: Stay ahead of compliance requirements with proactive alerts for license violations, new components, and specified CVE severity scores.
- Seamless Import and Export Your SBOMs: Effortlessly integrate existing SPDX or CycloneDX formatted SBOMs into Vigiles, or convert non-standard SBOMs into these industry-standard formats for better compatibility and streamlined workflows.
- Find What You’re Looking For Fast with Advanced Search Capabilities: Quickly search for specific components and associated CVEs across multiple SBOMs, enhancing your vulnerability management efficiency.
Vigiles supports all major Linux build system integrations including Yocto, Buildroot, PetaLinux, Wind River Linux, PTXdist, OpenWrt, Timesys Factory, containers, RTOSes, and other operating systems and ecosystems such as Python for more accurate SBOM generation.
If you have Vigiles Prime or Enterprise, you automatically get these exciting new Vigiles SBOM enhancements. If you don’t currently have Vigiles Prime or Enterprise and would like to add Vigiles SBOM Manager to your security process, please contact sales about starting a Vigiles SBOM Manager account.
Do you have legacy applications that need to run on newer embedded targets without having to include multiple, outdated versions of all their dependencies?
Did you know that containers can help decouple application development from the development of the embedded platform itself in timelines, teams, and tools? They can also allow application developers to work on desktop or workstation targets, then later deploy to the actual target hardware. Containerized applications and services can be an attractive solution on embedded Linux devices in a multitude of cases. Find out more with our Introduction to Containers on Embedded Linux blog!
From Regulatory Uncertainty to Expertise:
Mastering Cybersecurity Compliance in Medical Device Development, Even if You’re New to Compliance or Dealing with Limited Resources
October 19 @ 12 PM EDT / 9 AM PT
In this live webinar and Q&A session, you’ll learn how to confidently navigate regulatory changes, gain a clear understanding of their impact, and effectively prepare for compliance tasks without feeling overwhelmed, uncertain, or daunted, whether you’re new to compliance or dealing with limited resources.
