When added together, Linux platform variants create the largest platform for IoT operating system development and distribution. The proliferation of Linux variants in the IoT market has occurred because Linux is fast and can be easily customized — and shared innovation is occurring at a breakneck pace.
Unfortunately, a new software vulnerability found in the Linux kernel listed as CVE-2018-5390 at the National Vulnerability Database, dubbed SegmentSmack, has the potential to cause significant problems for the IoT industry. Security experts at Carnegie Mellon University’s CERT Coordination Center said the vulnerability is in Linux kernel versions 4.9 and higher.
Hackers could exploit the vulnerability to hit systems with a denial-of-service (DoS) attack on networking kit. Newer versions of the Linux kernel could be “forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a DoS”. CERT/CC lists a number of network equipment vendors, PC and server manufacturers, mobile vendors and operating system makers that may be affected. However, it has not yet confirmed whether any PC, server or IoT systems have actually been impacted.
A bit about software vulnerabilities
Whether software code is proprietary or open source, it harbors security vulnerabilities. Supporters of open source argue that the accessibility and transparency of the code allow the good guys — corporate quality assurance teams, white hat hackers or open source project groups — to find bugs faster.
Critics contend that more attackers than defenders examine the code, resulting in a net effect of higher incidents of vulnerability exploits. The open source community is good at addressing vulnerability issues. Once open source vulnerabilities are discovered, the community is quick to catalog IDs and provide updated open source components that address the vulnerabilities.
Understand your code and firmware
The first line of defense to address open source vulnerabilities is for businesses to know exactly what open source code is present in their software — before and after they procure it. This can be a challenge given that the majority of companies that use third-party code often receive software in binary format. As a result, open source code usage is not well-documented.
However, there are new types of fingerprint-based binary code scanners that enable companies to scan their software and firmware in binary code, alleviating the somewhat inaccurate and time-consuming practice of reverse engineering their code to make it source code — and then scan it for composition.
Visibility into exactly what open source components reside in the current or prospective code gives IoT developers and IT departments the ability to assess their investment risks and take proactive measures to ensure security. In this case, IoT device manufacturers and embedded firmware developers can use binary code scanning tools to see exactly what Linux kernel they are using.
Update the embedded code or things could get bad
Upon gaining visibility into their codebase, developers can pinpoint which systems are using Linux kernel versions 4.9 and up. They can then begin the process of updating their firmware. Fortunately these updates are already available for organizations to address the vulnerability and can be found on a long list of networking, security, storage and open source operating system vendors.
That said, we understand that keeping track of updates for embedded code is not nearly as easy as doing so for desktop or enterprise Linux OS distributions. However, should a working proof-of-concept attack be published in the next few days, there is potential for significant disruption in the hyper-connected world. Consequently, it is imperative that IoT vendors take immediate steps to find out whether their code harbors SegmentSmack and, if so, address the vulnerability and update their firmware.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.