WHAT’S INSIDE:

• Cybersecurity news: "As Nasty as Dirty Pipe:" 8-Year-Old Linux Kernel Vulnerability Uncovered
• Timesys Commits to Strengthening the Security of the Open Source Software Supply Chain
• When's the Last Time You Got What You Really Wanted?
• Linux OS and BSP Maintenance Takes the Complex, Time-Consuming Work Off Your Plate
• How Do You Secure Your Linux-Based Embedded Devices Without Giving Full Root Privileges?
• Learn with Timesys: blogs and webinars galore
• Upcoming events: NXP Tech Days

Cybersecurity in the news

"As Nasty as Dirty Pipe:" 8-Year-Old Linux Kernel Vulnerability Uncovered

According to The Hacker News, “Details of an eight-year-old security vulnerability in the Linux kernel have emerged that the researchers say is "as nasty as Dirty Pipe." Dubbed DirtyCred by a group of academics from Northwestern University, the security weakness exploits a previously unknown flaw (CVE-2022-2588) to escalate privileges to the maximum level.

Instead of overwriting any critical data fields on kernel heap, DirtyCred abuses the heap memory reuse mechanism to get privileged. The novel exploitation method, according to the researchers, pushes the dirty pipe to the next level, making it more general as well as potent in a manner that could work on any version of the affected kernel.”

Read the full article here: https://thehackernews.com/2022/08/as-nasty-as-dirty-pipe-8-year-old-linux.html 

This CVE is not currently in NVD; it's an early notification that has been reported by Vigiles. 

Need more info on these vulnerabilities? Check them out here:
https://linuxlink.timesys.com/vigiles/cves/CVE-2022-2588/

Want to stay ahead of threats? Lucky you: we launched the Timesys CVE Dashboard and update it weekly with details on the dangerous security vulnerabilities that could be affecting your device.

Timesys Joins OpenSSF

Timesys Commits to Strengthening the Security of the Open Source Software Supply Chain

Earlier this month, Timesys joined OpenSSF and the Linux Foundation in an effort to spread awareness of the need for strong open-source software security and to share resources to help secure the open-source supply chain. 

For more than 5 years, Timesys has been developing technology to help secure, monitor, and maintain open-source based embedded Linux and Android devices from exposures and vulnerabilities. 

“With software supply chain breaches up more than 650%, securing the software supply chain is a big focus.” Atul Bansal, CEO of Timesys, said. “We are so excited to be joining up on this community effort with OpenSSF and to be a part of the Linux Foundation again. By sharing technology and collaborating to build ecosystems that accelerate open-source technology development, device manufacturers and consumers everywhere will be able to rest easier knowing they are secure.” 

Timesys Vulnerability Management Survey

When's the Last Time You Got What You Really Wanted?

Make your dreams a reality. Your vulnerability management dreams. Help us out with your feedback and you can guide the roadmap for the vulnerability management features that make it faster to build and maintain secure products which let you sleep easier at night.

Plus, you could win a $50 gift card!

Long-term Support

Linux OS and BSP Maintenance Takes the Complex, Time-Consuming Work Off Your Plate

The outdated strategy of “freeze and release” — freezing a device’s software at product launch with no plan or process to update it in the field — puts devices at high risk of security compromise. Whether you use Yocto Project, Buildroot, or Timesys Factory build system, regular upgrades are needed to ensure device security, to apply bug fixes, and to support newer hardware and technologies.

At Timesys, we understand how product security updates and addressing security vulnerabilities reported by customers can be time-consuming work that takes more resources, time, and investment than are readily available. 

For half the cost of doing it yourself, take advantage of our deep expertise to maintain your Linux OS and BSP for the full lifecycle of your device. Timesys Linux OS and BSP Maintenance provides you and your customers with much-needed long-term security.

• Boost Compliance with a Continuous Security Feed and CVE Monitoring with Our Best-In-Class Tool, Vigiles
• Enjoy Seamless Workflow Integration and Collaborative Triage and Development for Releases
• Meet Your Release Schedules with an Update Cadence That Meets Your Product Security Policy
  

Avoid frequent maintenance cycles, high staffing costs, and priority conflicts by signing up for Timesys’ Linux OS/BSP Maintenance service. Get long term security updates and maintenance for your embedded device for half the cost of a junior engineer. 

Linux Polkit

How Do You Secure Your Linux-Based Embedded Devices Without Giving Full Root Privileges? 

Securing the Linux-based embedded device is an arduous task and involves various layers, such as boot loaders, kernel, applications, and more. The primary challenge of securing Linux applications is controlling and hardening the use of elevated privileges. Elevated privileges indeed is a thin line which has to be drawn carefully. Unfortunately, Linux-based privilege elevation, especially in embedded systems, doesn’t meet the security hardening requirements.

To throw more light, the applications requiring elevated privileges will make use of sudo command. However, the issue with this approach is that sudo provides full root privileges to the applications. A threat actor can exploit these elevated privileges and can perform unauthorized operations, denial of service, command and control, and more.

Polkit (also known as “Policy Kit”) is an application-level framework for defining and handling the security policy of the applications. Unlike with the sudo mechanism, the Polkit framework handles the application security, especially the elevated privileges mechanism, in a fine-grained manner. 

Learn with Timesys

Read Up On Embedded Security With Our Blogs

Securing U-Boot: A Guide to Mitigating Common Attack Vectors

Many embedded systems implementing software authentication (secure boot and chain of trust) use U-Boot as their bootloader. Making sure this bootloader is properly secured so that someone cannot bypass your chain of trust and boot unauthenticated software is very important. Learn more about securing U-Boot with this blog:

Upcoming Events

Conferences Around the World You Don't Want to Miss

Vulnerability Management for Embedded

Tools & Techniques to Monitor and Remediate Vulnerabilities in Your SBOM

September 29 @ 12 PM ET / 9 AM PT

In this monthly live webinar and Q&A session, you'll learn essential ways to avoid a five-figure mistake along with:

- Why you need to manage your open-source software risks 
- How to generate an accurate SBOM (Software Bills of Materials) and why it matters
- Tools and techniques to monitor and remediate vulnerabilities in your SBOM
- And much more!

Can't make it on September 29th? Reply to this email and we'll send you the event recording, or watch previous webinars here.

www.timesys.com

Timesys, the Timesys logo, and Vigiles are trademarks or registered trademarks of Timesys Corporation. Linux is a registered trademark of Linus Torvalds in the United States and other countries. All other company and product names mentioned are trademarks and/or registered trademarks of their respective owners.