Security Incident
28.Sep.2021
Software vulnerabilities become hacker targets again - How to address supply chain security risks?
Security issue found on one Integrated Access Device (IAD) affects millions of devices and exposes their vulnerabilities
The source of this risk affecting dozens of brands and millions of devices is a path traversal vulnerability. The Path Traversal vulnerability allows hackers to bypass authentication and browse numerous directories on the victim host. Once hacked, hackers can gain control of the victim host, and even gain superuser (also called root) privileges. Because of this, the CVSS v3 score for the CVE-2021-20090 vulnerability is as high as 9.8.
Path Traversal vulnerability means that users can directly access files in any path through a specific string composed of special characters, bypassing the file path that restricts access originally. Taking CVE-2021-20090 as an example, some directories in the web management interface of the affected products are set as bypass list. These files in the bypass list (eg: /images, /js, /css) can be accessed directly without authentication. As a result, the attacker can add the directory path of the bypass list in the URL, and the product's web management interface will not authenticate the HTTP request. The attacker then uses Path Traversal to access other pages that require authentication. Taking http:///info.htm as another example, users who have passed the authentication can obtain system operation information through this page. If the attacker directly accesses without logging in, the page will return to the login page. However, attackers can obtain system information by bypassing authentication.
Due to the high availability of this vulnerability, hacker groups have begun to use it to distribute some viruses such as Mirai to attack related products.
The patching method for this vulnerability first needs to check the input string. Second, because the affected products also have problems with the connection management mechanism, the user's status should be checked through the Session ID instead of the IP address to check whether the user is an authenticated user.
Path Traversal vulnerability means that users can directly access files in any path through a specific string composed of special characters, bypassing the file path that restricts access originally. Taking CVE-2021-20090 as an example, some directories in the web management interface of the affected products are set as bypass list. These files in the bypass list (eg: /images, /js, /css) can be accessed directly without authentication. As a result, the attacker can add the directory path of the bypass list in the URL, and the product's web management interface will not authenticate the HTTP request. The attacker then uses Path Traversal to access other pages that require authentication. Taking http:///info.htm as another example, users who have passed the authentication can obtain system operation information through this page. If the attacker directly accesses without logging in, the page will return to the login page. However, attackers can obtain system information by bypassing authentication.
Due to the high availability of this vulnerability, hacker groups have begun to use it to distribute some viruses such as Mirai to attack related products.
The patching method for this vulnerability first needs to check the input string. Second, because the affected products also have problems with the connection management mechanism, the user's status should be checked through the Session ID instead of the IP address to check whether the user is an authenticated user.
Vulnerabilities in chips have become a part of software supply chain security that cannot be ignored
In addition to the impact of software vulnerabilities on end products, the issue of chip security vulnerabilities has gradually increased recently. The main reason is that the System On Chip (SoC) came into being because the chip developers wanted to meet a variety of needs. The SoC often contains a variety of functions, such as integrating a small system in a single chip, so that it can be provided to product manufacturers in different industries more conveniently and quickly. However, it is inevitable that a variety of cybersecurity risks have begun to emerge. Recently, SoC produced by a major chip manufacturer were found to have several security vulnerabilities (CVE-2021-35392, CVE-2021-35393, CVE-2021-35394, CVE-2021-35395), allowing hackers to exploit these vulnerabilities to attack the system.
Among them, CVE-2021-35394 and CVE-2021-35395 have CVSS v3 scores of 9.8, both of which are high-risk vulnerabilities:
- Regarding CVE-2021-35394, hackers can exploit the Buffer over flow and Command Injection vulnerabilities of UDPServer MP to attack.
- CVE-2021-35395 affects the web interface of the SDK and has multiple Buffer over flow vulnerabilities. So far, Mirai botnet program has been found to start exploiting these vulnerabilities to attack affected IoT devices.
- CVE-2021-35392/CVE-2021-35393 have the vulnerabilities of Heap buffer overflow and Stack buffer overflow, which correspond to UPnP and SSDP services. These two CVEs have a slightly lower score of 8.1 on the CVSS rating than the first two vulnerabilities, but UPnP is a service frequently used by many device manufacturers, so its impact on the supply chain cannot be ignored.
Software Supply Chain Security
Judging from the above two examples, the flaws in the code design and the vulnerabilities of third-party packages during the product development process may lead to malicious exploitation of the vulnerabilities of the final product, resulting in substantial and reputational damage to enterprises.
The current Software Supply Chain is intricate and interlocking in the world. The cybersecurity risk generated by any part may have a huge impact and eventually cause an unimaginable ripple effect. For example, the two incidents mentioned above involved many brands and different models of products, including home gateways, IP sharing routers, WiFi repeaters, IP CAMs, and even some IoT toys. The supply sources they use all have the same vulnerability. The complex supply chain relationship ultimately leads to the vulnerability affecting millions of devices.
In order to prevent and quickly respond to such cybersecurity incidents, enterprises need to establish cybersecurity management processes in advance, plan product cybersecurity testing well, or take correct actions after cybersecurity incidents occur. However, most enterprises have not yet or do not have the resources to establish such a mechanism. In the initial stage, the most important thing is to quickly establish basic cybersecurity protection capabilities in the most cost-effective way to prevent similar incidents from happening. One of the most effective ways is to introduce automation products and get international certifications.
The current Software Supply Chain is intricate and interlocking in the world. The cybersecurity risk generated by any part may have a huge impact and eventually cause an unimaginable ripple effect. For example, the two incidents mentioned above involved many brands and different models of products, including home gateways, IP sharing routers, WiFi repeaters, IP CAMs, and even some IoT toys. The supply sources they use all have the same vulnerability. The complex supply chain relationship ultimately leads to the vulnerability affecting millions of devices.
In order to prevent and quickly respond to such cybersecurity incidents, enterprises need to establish cybersecurity management processes in advance, plan product cybersecurity testing well, or take correct actions after cybersecurity incidents occur. However, most enterprises have not yet or do not have the resources to establish such a mechanism. In the initial stage, the most important thing is to quickly establish basic cybersecurity protection capabilities in the most cost-effective way to prevent similar incidents from happening. One of the most effective ways is to introduce automation products and get international certifications.
How to prevent and address cybersecurity incidents
IoT device international certification
At present, many international organizations or institutions have launched security assessment standards for the Internet of Things (IoT), such as the US CTIA IoT cybersecurity standards, the EU ETSI EN 303 645 security standard, the UK GSMA IoT cybersecurity assessment, and the ioXt IoT cybersecurity certification. Obtaining these international cybersecurity certification marks is a very beneficial method, which allows IoT device manufacturers to improve the security quality and strength of their products and enhance their international competitiveness. Onward Security's IoT cybersecurity testing laboratory, which is recognized by many international organizations, can provide localized services to help customers quickly obtain various product certifications.
SecDevice
Onward Security's SecDevice vulnerability detection automation tool provides Path traversal detection, which can find out whether a device has security risks of CVE-2021-20090, and allow manufacturers to correct vulnerabilities and prevent risks before products leave the factory. SecDevice can also perform known vulnerability scanning and unknown vulnerability Fuzz Testing to identify relevant security risks in advance.
SecSAM
SecSAM open source software risk management system manages product firmware and software component information through the concept of Software Bill of Materials (SBoM). It helps manufacturers improve the transparency of the software supply chain and establish a software Cybersecurity BOM (CBOM), which can help manufacturers manage information such as components and Common Vulnerabilities and Exposures (CVE) used in products. When a cybersecurity incident occurs, you can immediately know whether there are corresponding vulnerabilities in your products, and respond and deal with it before the damage is further expanded.
Reference:
https://zh-tw.tenable.com/security/research/tra-2021-13?tns_redirect=true
https://www.ithome.com.tw/news/146091
https://nosec.org/home/detail/4822.html
https://www.ithome.com.tw/news/146236
https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/
Reference:
https://zh-tw.tenable.com/security/research/tra-2021-13?tns_redirect=true
https://www.ithome.com.tw/news/146091
https://nosec.org/home/detail/4822.html
https://www.ithome.com.tw/news/146236
https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/
