Security Week 40: bug in systemd, 20 vulnerabilities in D-Link router, hacking of insulin pumps

Two popular news this week immediately raise the important topic of assessing the severity of vulnerabilities in particular and determining the security of software or hardware in general. In order: October 3, the founder of the SSLMate service, Andrew Iyer, reported a vulnerability in the systemd initialization daemon ( news , Ayer's original post ). Vulnerability like denial of service is exploited only locally. Any user entering NOTIFY_SOCKET = / run / systemd / notify systemd-notify “” command can suspend the system. A bug caused by incorrect processing of a zero-length message, and already closed , existed in systemd for two years, starting with version 209.

Having a lot of examples for comparison ( Shellshock , for example, or the same Heartbleed), one can quite confidently say that this is far from the most terrible bug in the world. However, srach discussion of the problem turned out a large-scale. The reason is in the accessible description of the bug: "you can suspend the system with a message that fits on one tweet." And in the sharp reaction of Pantheon’s CTO, actively supporting systemd. Further everywhere, up to a new round of discussion of the personality of the creator of systemd (I will not name him, otherwise it will begin here).

In general, they discussed anything, just not the bug itself, which, really, is not so terrible, although serious. This is a really important topic: they try to judge the quality of a product by vulnerabilities. A typical example of this approach is software ratings.with the largest number of holes detected. I’ll try to offer my own interpretation: vulnerability is in most cases just a vulnerability, and detection of a problem by itself does not qualify software or hardware in any way. And to justify this statement, we need to discuss the D-Link router.

The researcher found 20 vulnerabilities in the D-Link DWR-932B
News router . Research .

Researcher Pierre Kim conducted a security analysis of the D-Link DWR-932B router . This router is a portable device with a built-in 4G modem. The results of the study showed that the protection of the device, let’s say, is far from ideal. The author speaks more bluntly and suggests simply getting rid of such devices - they say, there's nothing to be done. The details of vulnerabilities can be viewed at the links above, I just give a brief squeeze:



- A wired administrator password when telnet and ssh connections are available by default
- A backdoor that allows you to control the device without a password at all
- Wired default PIN for WPS connection
- PIN generation according to a predictable algorithm (based on current time). Actually, if the owner still activates the generation procedure in the web interface, otherwise - see the previous paragraph
- For some reason, an account on the No-IP (dynamic DNS) service is sewn into the firmware
- Many different vulnerabilities in the web interface
- Download updates via HTTP, when authorizing on a server with a default wired password (HTTPS connection is provided, but the certificate has expired)
- Insecure implementation of the uPnP protocol

The argument of Pierre Kim is as follows: with the router, you can do anything you like, up to replacing the firmware. The latter is unlikely to be needed, since there are other ways to seize control. The news provides an interesting background to Kim’s work (D-Link was not the first “victim” of the researcher) and examples of difficulties faced by router developers, especially when it comes to discontinued models. In this case, by the way, D-Link says the same thing, although the model is designated as relevant on the company's website.

I return to my thesis. In most cases, a vulnerability is simply a vulnerability, and it does not characterize a software or device in any way. In the modern realities of information security, it is unlikely to be able to make software that is completely devoid of bugs. A vendor’s description, from a security point of view, consists of how the company responds to information about vulnerabilities and how quickly and efficiently it closes them. In any case, there are no uniform rules for evaluating software, services, devices even by these criteria.

But it would be nice.

Vulnerability found in OneTouch Ping
News Insulin Pump Remote Management System . Rapid7 study .

We conclude with a more optimistic example of the interaction of a researcher, vendor, and even a state regulator. Although the reason, frankly, depressing. Rapid7 discovered a vulnerability in OneTouch Ping insulin pumps from Animas Corp., a division of Johnson & Johnson. An unsafe protocol of interaction between the injector and the remote control allows you to change the parameters of the medical device.



The remote control and the pump communicate by radio at a frequency of 900 MHz, exchange keys when connected, but the insufficiently protected algorithm allows you to intercept control and, at a minimum, decrypt the transmitted information about the status of the device. There is an easier way: Rapid7 found out that the device is in no way protected from replaying the communication between the legal console and the pump. That is, an attack is possible when a command is sent from a real console to increase the dose of insulin, and from a "fake" one it is repeated, with the theoretical possibility of an overdose of the drug.

Both researchers and the vendor argue that the probability of using an attack in practice is small. To do this, you need to be in close proximity to the owner of the device (about 3 meters), although repeated data reproduction can be successfully carried out by a more powerful transmitter at least for a kilometer. The manufacturer began to send customers recommendations for eliminating the risk: you can disable the ability to remotely control in principle. In addition, a warning can be programmed when the dosage of the medicine goes beyond safe limits.

It’s impossible to completely eliminate the vulnerability right away, since the pump does not have an Internet connection (and it’s good that it doesn’t). The actions of the research company (they disclosed information only now, although they found problems back in April) and the vendor were positively assessed by the regulator - the American state agency Food and Drug Administration. For comparison, we can mention an example of an incorrect approach to the study of vulnerabilities in medicine. This summer, MedSec found a vulnerability in pacemakers, but for some reason did not disclose information to the manufacturer, but to the investment company, which released the data (now everyone is hopelessly mired in lawsuits there).

Well, where reference safety is definitely needed, it's in medical devices.

What else happened:
Yahoo blamedin pandering to American intelligence (mass surveillance of mail correspondence). The most high-profile news of the week, but without real facts and evidence from someone else.

One of the most powerful DDoS attacks that occurred two weeks ago was actually carried out by a botnet of IoT devices (specifically, webcams). And then someone posted the source code used to automatically search and hack vulnerable devices.

Antiquities

“Stone-Sex-a, -b”

Affects disks when accessing them (int 13h, ah = 2, 3). Save the old contents of the changing sectors (Boot sector on the floppy disk and MBR on the hard drive) at 1/0/3 (head / track / sector) for floppy disks or 0/0/8 (0/0/7 depending on version virus) for a hard drive. When booting from an infected floppy disk with a probability of 1/3 they report:

“Stone-Sex-a” - “EXPORT OF SEX REVOLUTION ver. 1.1 "
Stone-Sex-b" - "EXPORT OF SEX REVOLUTION ver. 2.0 "

Quote from the book" Computer viruses in MS-DOS "by Eugene Kaspersky. 1992 year. Page 98.

Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Here it’s how lucky.