WHAT’S INSIDE:

• Cybersecurity news: Technical Advisory – Multiple Vulnerabilities in U-Boot
• All the latest security solutions in the Embedded World.
• Why use PKCS#11?
• API Toolkit updates to Vigiles, our purpose-built vulnerability management tool that adapts to your SDLC process.
• Atul Bansal of TimeSys Talks Open-Source Software on TechVibe Radio..
• Learn with Timesys: blogs and webinars galore
• Upcoming event: NXP Tech Day

Cybersecurity in the news

Technical Advisory – Multiple Vulnerabilities in U-Boot

According to the NCC Group Research: "U-boot is a popular boot loader for embedded systems with implementations for a large number of architectures and prominent in most Linux based embedded systems such as ChromeOS and Android Devices. Two vulnerabilities were uncovered in the IP Defragmentation algorithm implemented in U-Boot, with the associated technical advisories below:

• Technical Advisory – Hole Descriptor Overwrite in U-Boot IP Packet Defragmentation Leads to Arbitrary Out of Bounds Write Primitive (CVE-2022-30790)
• Technical Advisory – Large buffer overflow leads to DoS in U-Boot IP Packet Defragmentation Code (CVE-2022-30552)”
  

Read the full article here: https://research.nccgroup.com/2022/06/03/technical-advisory-multiple-vulnerabilities-in-u-boot-cve-2022-30790-cve-2022-30552/amp/

Need more info on this vulnerability? Check it out here: https://linuxlink.timesys.com/vigiles/cves/CVE-2022-30295/

Want to stay ahead of threats? Lucky you: we launched the Timesys CVE Dashboard and update it weekly with details on the dangerous security vulnerabilities that could be affecting your device.

Recap: Embedded World 2022

All the latest security solutions in the Embedded World.

From June 21 to June 23, Timesys showcased the latest security solutions as a featured partner with our friends at STMicroelectronics and AWS at Embedded World in Nuremberg, Germany.

Missed Embedded World this year? Check out this video with Kamel Kholti, MPU Product Marketing Manager, showcasing how Vigiles enriches the STM32MP1 ecosystem and how Timesys, Foundries.io, and STMicroelectronics are bringing solutions that provide you the support and security you need to get to market faster. 

IoT Security Simplified with VigiShield Secure by Design

Why use PKCS#11?

PKCS#11 provides applications a platform independent manner of using keys securely and can also be configured to ensure the keys are never exposed to the application, hence vastly reducing the attack surface. For example, applications can request signing or encrypting data without ever needing to know the private keys.

For customers seeking enhanced security and key provisioning, VigiShield Secure by Design provides the core security features your device needs with an easy-to-understand, PSA certified, maintainable Yocto security layer. 

For more information about securing IoT device keys with PKCS#11, read our PKCS#11 with OP-TEE: Securing IoT device keys article in our blog library.

Coming Soon

API Toolkit updates to Vigiles, our purpose-built vulnerability management tool that adapts to your SDLC process.

This best-in-class vulnerability monitoring and remediation tool combines a curated CVE database, continuous security feed based on your SBOM, powerful filtering, and easy triage tools so you don’t get blindsided by vulnerabilities.

But at Timesys, we don't stop there. We've been listing to the customer requests and feedback and are working on augmenting the APIs so you can implement your own dashboards and filter notes and alerts based on what's most important to you. 

This module update will also:

1. Integrate with your existing SDLC software through a python package for interacting with the Vigiles API so that users are able to write scripts or integrate Vigiles into their own tools.
2. Include all the most common tasks available through command line prompts. This will enable users to perform tasks such as applying a patch for a CVE, conducting a test build, and fetching a comparison between scans before and after to attach to the internal bug tracker.
   
3. And add a reference implementation for users using their own code to interact with the API, in order to compare results and translate segments into your language of choice.
   

Timesys in the news

Atul Bansal of TimeSys Talks Open-Source Software on TechVibe Radio.

On Sunday, June 26, Timesys CEO Atul Bansal joined TechVibe Radio host Jonathan Kersting at 6 AM to “geek out” about the importance of Cybersecurity, especially for connected devices.

If you missed the segment and would like to hear the inside secrets of how Timesys’ expertise, OEMs, ODMs, and design houses cut development costs and accelerate time-to-market for devices and IoT systems, check out the recording of the discussion on TechVibe’s archive.

Learn with Timesys

Read up on embedded security with our latest blogs

DM-Verity Without an Initramfs

Learn how you can implement file system verification on your embedded system without the use of an initramfs. This can significantly save boot time and storage requirements in many situations.

Securing U-Boot: A Guide to Mitigating Common Attack Vectors

Learn about ways in which you can protect and secure U-Boot implementations on your embedded systems. This involves signed FIT images, environment protections, and serial console disablement methods.

Upcoming Events

Conferences Around the World You Don't Want to Miss

Security Vulnerability Management 101

Tool & Techniques to Monitor and Remediate Vulnerabilities in Your SBOM

July 21 @ 12 PM ET / 9 AM PT

In this monthly live webinar and Q&A session, you'll learn:

- Why you need to manage your open-source software risks 
- How to generate an accurate SBOM (Software Bills of Materials) and why it matters
- Tools and techniques to monitor and remediate vulnerabilities in your SBOM
- And much more!

Can't make it on July 21st? Reply to this email and we'll send you the event recording, or watch previous webinars here.

www.timesys.com

Timesys, the Timesys logo, and Vigiles are trademarks or registered trademarks of Timesys Corporation. Linux is a registered trademark of Linus Torvalds in the United States and other countries. All other company and product names mentioned are trademarks and/or registered trademarks of their respective owners.