Security Week 40: systemd bug, 20 vulnerabilities in the D-Link router, breaking insulin pumps

Immediately, two popular news this week raise an important topic of assessing the severity of vulnerabilities, in particular, and determining the security of software or hardware in general. In order: On October 3, the founder of the SSLMate service, Andrew Ayer, reported a vulnerability in the systemd initialization daemon ( news , Ayer’s original post ). A vulnerability such as denial of service is only exploited locally. Any user entering the command NOTIFY_SOCKET = / run / systemd / notify systemd-notify “” can hang the system. A bug caused by incorrect processing of a zero-length message, and already closed , existed in systemd for two years, starting with version 209.

Having a lot of examples for comparison ( Shellshock , for example, or the same Heartbleed ), one can quite confidently assert that this is far from the worst bug in the world. Nevertheless, srach discussion of the problem turned out to be large-scale. The reason is in the available description of the bug: "You can hang the system with a message that fits in one tweet." And in the sharp reaction of the CTO of Pantheon, which actively supports systemd. Further everywhere, right up to the new round of discussion of the personality of the creator of systemd (I will not call him, and even then it will begin).

In general, we discussed everything, anything, but not the bug itself, which, indeed, is not so terrible, although it is serious. This is a really important topic: they try to judge the quality of a product by vulnerabilities. A typical example of such an approach is the ratings of software with the most holes found. I will try to offer my own interpretation: vulnerability is in most cases just a vulnerability, and in itself the detection of a problem does not qualify the software or hardware in any way. And to justify this statement, we need to discuss the router D-Link.

The researcher found 20 vulnerabilities in the D-Link DWR-932B router
News Research
')
Researcher Pierre Kim analyzed the D-Link DWR-932B router from a security point of view. This router is a portable device with an integrated 4G modem. The results of the study showed that the protection of the device, let's say, is far from ideal. The author speaks more directly and offers to just get rid of such devices - they say, nothing can be done about it. Details of vulnerabilities can be viewed on the links above, I just give a brief squeeze:



- Stitched admin password with telnet and ssh default connection available
- A backdoor that allows you to control the device without any password
- Wired default PIN for connection via WPS
- PIN generation using a predictable algorithm (based on the current time). This is relevant if the owner still activates the generation procedure in the web interface; otherwise, see the previous paragraph.
- For some reason, an account is fixed to the firmware on the No-IP service (dynamic DNS)
- Many different vulnerabilities in the web interface
- Download updates via HTTP, when authorizing on the server with a default password, (HTTPS connection is provided, but the certificate has expired)
- Insecure implementation of the uPnP protocol

The argument of Pierre Kim is as follows: you can do anything you want with a router, even changing the firmware. The latter is hardly needed, since it is possible to intercept control in other ways. The news provides an interesting background to the work of Kim (D-Link was not the first “victim” of the researcher) and examples of the difficulties faced by the developers of routers, especially when it comes to models taken out of production. In this case, by the way, in D-Link they say the same thing, although on the company's website the model is designated as relevant.

Returning to my thesis. In most cases, a vulnerability is simply a vulnerability, and it does not characterize the software or device. In today's reality, infosecurity is unlikely to make software completely devoid of bugs. Characteristics of the vendor, from the point of view of security, consist of how the company reacts to information about vulnerabilities, how quickly and effectively it closes them. In any case, there are no uniform rules for assessing software, services, devices, even by these criteria.

And it would be nice.

A vulnerability was discovered in the OneTouch Ping remote insulin pump management system
News Rapid7 study .

Let's finish with a more optimistic example of interaction between a researcher, vendor, and even a state regulator. Although the reason, frankly, depressing. Rapid7 discovered a vulnerability in OneTouch Ping insulin pumps produced by Animas Corp., a division of Johnson & Johnson. The insecure interaction protocol between the injector and the remote control allows you to change the operating parameters of the medical device.



The console and pump communicate over the air at a frequency of 900 MHz, when connecting they exchange keys, but the insufficiently protected algorithm allows to intercept control and, at a minimum, to decipher the transmitted information about the state of the device. There is a simpler way: in Rapid7, they found out that the device was in no way protected from replaying the communication between the legal console and the pump. That is, an attack is possible when a command to increase the insulin dose is transmitted from the present console, and from the "fake" it is replayed, with theoretically the possibility of an overdose of the drug.

Both the researchers and the vendor claim that the probability of an attack being used in practice is small. To do this, you need to be in close proximity to the owner of the device (about 3 meters), although the repeated reproduction of data can be successfully carried out with a more powerful transmitter even for a kilometer. The manufacturer began to send clients recommendations to eliminate the risk: you can turn off the possibility of remote control in principle. In addition, you can program a warning when the dosage of the drug is outside safe limits.

Completely eliminate the vulnerability does not immediately work, as the pump does not have an Internet connection (and well, perhaps, that does not have). The actions of the company-researcher (they disclosed the information only now, although they found problems back in April) and the vendor were positively assessed by the regulator - the US state agency Food and Drug Administration. For comparison, we can mention an example of an incorrect approach to the study of vulnerabilities in medicine. This summer, MedSec found vulnerability in pacemakers, but for some reason revealed information not to the manufacturer, but to an investment company that made the data public (now everyone is hopelessly mired in litigation).

Well, where reference security is definitely needed, it’s in medical devices.

What else happened:
Yahoo is accused of indulging American intelligence (mass surveillance of postal correspondence). The loudest news of the week, but without real facts and evidence from anyone.

One of the most powerful DDoS attacks that occurred two weeks ago was actually carried out by a botnet from IoT devices (specifically, webcams). And then someone else has laid out the source code for the code used for automatic search and hacking of vulnerable devices.

Antiquities

"Stone-Sex-a, -b"

The disks are striking when they are accessed (int 13h, ah = 2, 3). Retain the old contents of the editable sectors (boot sector on the floppy disk and MBR on the hard drive) at 1/0/3 (head / track / sector) for floppy disks or 0/0/8 (0/0/7 depending on virus) for the winchester. When booting from an infected floppy with a probability of 1/3, the following is reported:

"Stone-Sex-a" - "EXPORT OF SEX REVOLUTION ver. 1.1 "
"Stone-Sex-b" - "EXPORT OF SEX REVOLUTION ver. 2.0 ”

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 98.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.