In November 2021, cybersecurity researchers discovered several critical vulnerabilities that affected Android and embedded Linux systems. Google released its monthly security update for Android, but users and manufacturers must be willing to patch the operating system to stop attackers from exploiting vulnerabilities. November’s discovered vulnerabilities cover several serious exploit opportunities for attackers including remote code execution (RCE), denial of service (DoS), a zero-day described as a use-after-free memory exploit, and kernel privilege escalation. All of these issues are serious if left unpatched, and you should update quickly to avoid being the next targeted.
Even with the critical risk, it’s common for many manufacturers and developers to ignore the risk and avoid the overhead of updates. Patching and updating the Linux kernel requires testing since there is the possibility that something could go wrong, thus leading to downtime and potential disaster. In order to avoid that, we at L4B are working together with our customers to ensure a smooth upgrade so that their IVI and IC systems are secure and its downtime is minimized.
Outdated Android and New Dangerous CVEs
Android powers many IVI systems, and some OEMs remain on older versions of Android (versions 6 – 8) because it’s stable. Although it’s stable, any developer who remains on these old versions of Android leaves their application open to numerous critical vulnerabilities. It makes the entire system a ticking time bomb waiting for the right hacker to identify and exploit a known vulnerability.
Google releases patches frequently to address and remediate vulnerabilities, but it’s common for automotive OEMs and system manufacturers to update only after a long process of testing. While testing is necessary, it leaves a window of opportunity for attackers to exploit unpatched Linux kernels and systems with known vulnerabilities. If the vulnerability includes a proof of concept, attackers can use it to quickly create exploits to find unpatched systems.
The most notable vulnerability in Google’s latest release is CVE-2021-1048, but Google listed several others in its Android Security Bulletin. CVE-2021-1048 leaves systems vulnerable to two exploits: write-what-where conditions and use-after-free memory manipulation. Both could lead to random memory disclosure or remote code execution, which is a critical risk to leave unpatched.
Several other vulnerabilities were patched with the latest security update, all of which could have serious consequences if an embedded system is left on older versions. L4B Automotive will provide you with smooth update solutions for securing and stabilizing your system if you don’t have confidence in the Android upgrade process. With our BSP automatic validation lab, we ensure safe and secure artifacts and OS images.
Updating the Linux Kernel is Equally Important as Patching Third-Party Software
The most notable vulnerability for Linux comes from BusyBox, which is a popular Unix utility that contains several applets common on programmable logic controllers (PLC), IoT devices, human-machine interfaces (HMIs), and remote terminal units (RTUs). It’s this application that was found to introduce several vulnerabilities on embedded systems in November 2021.
Researchers announced 14 vulnerabilities covering CVE-2021-42373 through CVE-2021-42386. These CVEs indicate that all leave the system vulnerable to denial of service, but 10 of them could be exploited for remote code execution.
The discovered BusyBox vulnerabilities affect a variety of versions, so every OEM or system manufacturer installation should be updated. Researchers studied a number of embedded system firmware and found that 40% of systems were found to be vulnerable. This discovery makes millions of applications and environments vulnerable to critical data loss and crashes, and they should be updated immediately for security reasons.
Although exploiting these vulnerabilities would require specific conditions and a sophisticated attack, it’s still risky leaving any system using BusyBox unpatched. It might seem like an unnecessary patch, but all developers and manufacturers should keep cybersecurity and protection of their systems a priority. Patching embedded systems protect customers and their data, and negligent oversight of critical environments has potential for brand damage, customer loss, revenue loss, and future litigation costs.
Just like Android systems, it’s understandable that many automotive OEMs and manufacturers hesitate to upgrade right away before testing. Testing is always necessary, but the longer you wait, the longer the window of opportunity for an attacker. L4B Automotive can partner with you to ensure that your environment is secure while keeping the update process running smoothly and efficiently.