Sloppy string sanitization sabotages system security of millions of Java-powered 3G IoT kit: Patch me if you can
IBM's X-Force Red X-reveals X-flaw in Thales X-wireless X-module X-thing
A vulnerability in Thales' Cinterion EHS8 M2M module, a Java-powered embedded 3G system used in millions of Internet-of-Things devices for connectivity, was revealed yesterday by IBM's X-Force Red.
The bug (CVE-2020-15858), disclosed to Thales and addressed in a patch made available to IoT vendors in February, makes it possible for an attacker to, for instance, extract the code and other resources from a vulnerable device. This information could be reverse-engineered to find vulnerabilities to exploit, and secret keys and passwords to extract, potentially leading to miscreants hijacking the hardware and/or gaining access to its network.
Big Blue's infosec team contended that compromising a vulnerable Cinterion module could allow scumbags to, say, overdose patients with forced insulin pumps or interfere with the electrical grid. The flaw is present not only in the EHS8 module, but also in related IoT modules including BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, and PLS62.
The hardware came to Thales by way of its Gemalto acquisition last year. Used in the automotive, energy, medical, and telecom industries, each module includes a system-on-chip with an embedded Java ME interpreter and flash storage, according to IBM, alongside various interfaces, including GSM, USB, I2C, SPI et al. This chip also supports IP and PPP communication.
X-Force Red described the widget as an embedded Java environment that accepts low-level "AT" commands via a physical UART serial connection. The chip runs programs called Java "midlets" that are installed by vendors and Thales. The flaw, when exploited, provides an attacker with full read and write access to the Java midlets running on the system.
The Internet of Things is a security nightmare, latest real-world analysis reveals: Unencrypted traffic, network crossover, vulnerable OSesREAD MORE
The bug is basically a flawed string sanitization check. According to X-Force Red, Thales' Java code includes an attempt to check if the fourth character in a path substring is a dot, to ensure that no attempt is made to access sensitive hidden files (designated by a dot in the filename).
"In normal circumstances, any attempt to access hidden files with a dot prefix will be denied (example:
a:/.hidden_file)," observed X-Force Red security hackers Adam Laurie and Grzegorz Wypych in a detailed advisory on Wednesday. "However, replacing the slash with double slash (example:
a://.hidden_file) will cause the condition to fail and code execution will jump to a character checking loop which will match any printable character."
In other words, the security check intended to prevent access to dot-prefixed hidden files can be bypassed with a double slash. This can be exploited by someone with their hands on a Cinterion module to send the necessary AT commands to read hidden files, and mine that information for ways to remotely compromise other people's gear.
The fact that Thales has put out a fix doesn't necessarily mean that it has been applied everywhere; patching can be done via an over-the-air update, if available, or via a connected USB drive. For medical devices and industrial controls, IBM's security pros noted, the update process may require recertification or impose other burdens.
Thales claims to have 30,000 businesses using technology from its Digital Identity and Security Group. Some of those are customers of its IoT division, which helps connect more than 3 billion networked devices annually or so, the company says. There's probably still some patching work that needs to be done. ®