Industry News

Linux for 20 years A new window into a threat to the Internet of things

Recently, researchers in the Linux kernel, a few open source library and some popular compression algorithm used in the samsung Android mobile device was found in a 20 years.Found this loophole, the researchers said this vulnerability may affect some cars and aircraft systems, and other consumer electronic equipment to run embedded open-source software.
In the past few days, we have already seen in view of the Linux kernel and various open source library integer overflow vulnerability repair, this vulnerability allows attackers to attack by denial of service attacks and remote code execution run the so-called Lempel - Ziv - Oberhumer (LZO) code of the system.LZO processing embedded systems TCP/IP network traffic and file compression and decompression of (usually).
Found the holes and manual audit code instead of Lab Mouse Security company mobile and embedded system Security experts Don Bailey said: "the most common use is in the image data, extract image, and get the original image from a camera or video."
Bailey said that the hole is the toughest part to the widespread use of the algorithm that could affect consumer products: it depends on the version of the specifications of the products use, and the algorithm is how to deploy in the system, all at the moment we do not know how many consumer products are in jeopardy.
He said, there are several key product deployed in LZO, including OpenVPN, samsung Android devices, Apache Hadoop, juniper networks Junos Ipsec, mplayer2, gstreamer and carried on/Solaris BSD ZFS (Iz4), but it is unclear whether the software program of LZO deployment is vulnerable to attacks.He said: "the most likely scenario is that they could be affected by the DoS."
Whether be affected depends entirely on the deployment of the algorithm, as well as the underlying architecture and application memory layout.All LZO should, therefore, to evaluate the risk of the vulnerability, and repair.
For this loophole, the worry is that it may bring potential danger to the business system.Bailey said: "if it runs on an embedded system, a car or an airplane it could be used to lead to software failures rf module, and lead to a microcontroller or embedded system failure. Depending on the architecture, the system fault may or may not happen."

It can also be used to through the audio-visual media remote code execution, he said: "if you are watching video, a malicious video might be in your computer shell, this means that execute code when you watch the video."
For the influence of the vulnerability and there are many unknowns.NASA's Mars Rover in the same run LZO, but Bailey said, because we don't know how to deploy the code is, we have no way to know whether rovers will also be affected.
Global security strategists Trey Rapid7 company, Ford said LZO compression is very common by rf module.He said: "you will find it in almost all Linux versions, it may also affect the Solaris, iOS and Android. It is important to note that some of the Linux kernel (base) of the operating system version is almost used in possessions networking equipment, no matter what is the function."
But due to unclear the vulnerability in different deployment situation, it is hard to judge about the dangers of the hole.Ford said: "the flaw may allow to bypass the modified kernel system boot loader in the deployment of the signature, or possibly through the special USB drive to exploit in local kernel level. If there are no more details, it is difficult to assess the vulnerability of a potential threat."
At the same time, Bailey said: "with the Internet of things becomes more popular, we will see more of these holes."
However, not all systems for LZO repair or repair in the future."Many older projects may not fix," he said, "the enterprise may have many traditional system, it doesn't know they are in the use of the library."
The LZO holes with Heartbleed have some similarities, but there is no Heartbleed so big influence.He said: "it may be just as dangerous as Heartbleed, because it affects a wide range of platforms, this vulnerability may lead to memory leaks, denial of service attacks and remote code execution."
Bailey has released technical details information about the LZO loopholes.
Below are released for the vulnerability of fixes:
Today released a Linux kernel updates, according to the project developer, said all the Linux distribution of patches are now available
According to open source projects, developers, said Libav CamStudio and NuppelVideo decoder version and use LZO Mastroska divider are affected.Libav 0.89 and 10 are easily affected by the vulnerability and repair this week.
Videolan and ffmpeg media player for repair all week
· Oberhumer development LZO professional data compression library used in Rover, aircraft, CARDS, mobile phones, operating system and game consoles, the company for patch repair as well as its system is influenced by the vulnerability and did not respond.
But the company has released to the software update, LZO 2.07. This update is not clear whether it repaired LZO loopholes.Bailey said the website did not indicate the new version of the repair of security issues.
Oberhumer said on its website: "basically, if you have a car, mobile phone, computer, console, or go to hospital recently, chances are you're using our embedded data compression technology."



Download